AD Gateway IAM Role Information

Click AD Gateway AWS IAM Role / Policy Requirements

The following information is related to the AD Gateway IAM Roles and Policies
used for CLICK to connect to an AD Connector for reading a list of Users and
Groups (read only) using lambda.

We start with
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

Example:
arn:aws:iam::012345678901:role/ClickADConnector-IamRoleLambdaExecution-xxxxxxxxxxxxxxx

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:GetParametersByPath"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:736931573815:parameter/click/*"
            ],
            "Effect": "Allow"
        }
    ]
}

πŸ“˜

The ssm:GetParametersByPath permission is granted specifically on resources starting with the SSMPrefix value specified as a CloudFormation parameter (i.e. CLICK can only read what is prescribed for it to read)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}

AWS Cross Account Role

This is the Cross account role for connectivity to the customer's AWS Account
programmatically.

The far-side role allows CLICK to manage workspaces, list encryption keys, and
invoke the AD Gateway Lambda Function.

Example arn:
arn:aws:iam::012345678901:role/ClickADConnector-CrossAccountRole-xxxxxxxxxxxxx

The role will have the following permission policies associated with it.

{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "kms:ListAliases",
            "kms:ListKeys",
            "kms:GetKeyPolicy",
            "kms:ListGrants"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
}
{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:InvokeAsync"
        ],
        "Resource": "arn:aws:lambda:us-east-1:736931573815:function:ClickADConnector-AdConnectorLambdaFunction-1OXB14HW4CYI8",
        "Effect": "Allow"
    }
}

The role will also have the following trust policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CLICK_ACCOUNT:role/ad-connector-trust-role-SOME_ID"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
        }
      }
    }
  ]
}