IAM & Permissions
This guide details the IAM permissions used by EZ-CDC across AWS and GCP.
Permission Overview
EZ-CDC uses two IAM roles:
| Role | Purpose | Created By |
|---|---|---|
| Deployment Role | Allow EZ-CDC to provision infrastructure | You (CloudFormation) |
| Worker Instance Role | Allow workers to operate | EZ-CDC (Terraform) |
Deployment Role
This role allows EZ-CDC to create and manage worker infrastructure in your account.
Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::830087179307:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_UNIQUE_EXTERNAL_ID"
}
}
}
]
}
Security features:
- Only EZ-CDC's AWS account can assume the role
- External ID prevents confused deputy attacks
- External ID is unique per customer
Permission Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Instances",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:CreateTags",
"ec2:DescribeTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/ManagedBy": "ez-cdc"
}
}
},
{
"Sid": "AutoScaling",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "*"
},
{
"Sid": "SecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*"
},
{
"Sid": "NetworkDiscovery",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRouteTables"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/ez-cdc-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "IAMInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetInstanceProfile"
],
"Resource": "arn:aws:iam::*:instance-profile/ez-cdc-*"
},
{
"Sid": "IAMWorkerRole",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/ez-cdc-*"
}
]
}
What This Role Can Do
✅ Allowed:
- Create/terminate EC2 instances tagged with
ManagedBy: ez-cdc - Create/delete Auto Scaling Groups
- Create/delete security groups
- Read VPC and subnet information
- Create IAM roles prefixed with
ez-cdc-
❌ Not Allowed:
- Access your databases
- Read S3 buckets (except ez-cdc-releases)
- Modify IAM policies not prefixed with
ez-cdc- - Create resources without
ez-cdctags - Access any data
Worker Instance Role
This role is attached to worker EC2 instances.
Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Permission Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3BinaryDownload",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::ez-cdc-releases/*"
]
},
{
"Sid": "SSMSessionManager",
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/ez-cdc/*"
}
]
}
What Workers Can Do
✅ Allowed:
- Download binaries from
ez-cdc-releasesS3 bucket - Use SSM Session Manager (for troubleshooting)
- Write logs to CloudWatch (under
/ez-cdc/prefix)
❌ Not Allowed:
- Access any of your S3 buckets
- Access other AWS services
- Make IAM changes
- Access your databases via IAM (uses credentials)
Least Privilege Principles
Resource Constraints
Permissions are constrained by:
- Resource ARN patterns:
ez-cdc-*prefix - Tags:
ManagedBy: ez-cdc - Conditions: Specific services only
Example Constraints
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/ManagedBy": "ez-cdc" // Must have tag
}
}
}
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/ez-cdc-*", // Only ez-cdc roles
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com" // Only to EC2
}
}
}
Custom Restrictions
Restrict to Specific Regions
Modify the CloudFormation template:
{
"Condition": {
"StringEquals": {
"aws:RequestedRegion": ["us-west-2", "us-east-1"]
}
}
}
Restrict to Specific VPCs
{
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:us-west-2:123456789:vpc/vpc-abc123"
}
}
}
Add Custom Tags
Require additional tags on resources:
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "production",
"aws:RequestTag/CostCenter": "engineering"
}
}
}
Auditing IAM Usage
CloudTrail Events
Monitor role assumption:
{
"eventName": "AssumeRole",
"userIdentity": {
"arn": "arn:aws:iam::830087179307:root"
},
"requestParameters": {
"roleArn": "arn:aws:iam::YOUR_ACCOUNT:role/ez-cdc-deployment-role"
}
}
IAM Access Analyzer
Use IAM Access Analyzer to:
- Identify unused permissions
- Review external access
- Validate policy changes
Service Control Policies (SCPs)
If using AWS Organizations, ensure SCPs allow:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEZCDC",
"Effect": "Allow",
"Action": [
"ec2:*",
"autoscaling:*",
"iam:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::*:role/ez-cdc-*"
}
}
}
]
}
Best Practices
1. Use CloudFormation Template
Don't modify permissions manually—use the provided template.
2. Review Before Creating
Understand all permissions before creating the role.
3. Enable CloudTrail
Monitor all API calls made by EZ-CDC.
4. Regular Audits
Periodically review:
- Resources created by EZ-CDC
- IAM role usage patterns
- Permission boundaries
GCP Permissions
Service Account
EZ-CDC creates a dedicated Service Account per deployment:
ez-cdc-wk-{deployment-hash}@YOUR_PROJECT.iam.gserviceaccount.com
IAM Roles
| Role | Purpose |
|---|---|
roles/logging.logWriter | Write worker logs to Cloud Logging |
roles/monitoring.metricWriter | Write custom metrics to Cloud Monitoring |
roles/storage.objectViewer | Download binaries from ez-cdc-releases-gcp bucket (scoped) |
What the Service Account Can Do
✅ Allowed:
- Write logs to Cloud Logging
- Write metrics to Cloud Monitoring
- Download binaries from EZ-CDC releases bucket
❌ Not Allowed:
- Access your Cloud Storage buckets
- Read or modify IAM policies
- Access your databases via IAM
- Create or delete GCP resources
- Access other GCP services
Workload Identity Federation
EZ-CDC's control-plane (running in AWS) accesses your GCP project through Workload Identity Federation — no exported service account keys are used.
AWS IAM Role → STS Token → GCP WIF → Short-lived GCP credentials
Security benefits:
- No long-lived service account keys
- Short-lived, auto-rotating credentials
- AWS caller identity verified by GCP
- All access logged in Cloud Audit Logs
Auditing GCP Access
Monitor EZ-CDC activity in Cloud Audit Logs:
protoPayload.authenticationInfo.principalEmail:"ez-cdc-wk-*"
Or check IAM bindings:
gcloud projects get-iam-policy YOUR_PROJECT_ID \
--flatten="bindings[].members" \
--filter="bindings.members:ez-cdc-wk-*" \
--format="table(bindings.role, bindings.members)"