IAM Permissions

This guide details the IAM permissions used by EZ-CDC.

Permission Overview

EZ-CDC uses two IAM roles:

Role	Purpose	Created By
Deployment Role	Allow EZ-CDC to provision infrastructure	You (CloudFormation)
Worker Instance Role	Allow workers to operate	EZ-CDC (Terraform)

Deployment Role

This role allows EZ-CDC to create and manage worker infrastructure in your account.

Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::830087179307:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_UNIQUE_EXTERNAL_ID"
        }
      }
    }
  ]
}

Security features:

• Only EZ-CDC's AWS account can assume the role
• External ID prevents confused deputy attacks
• External ID is unique per customer

Permission Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2Instances",
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:CreateTags",
        "ec2:DescribeTags"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ManagedBy": "ez-cdc"
        }
      }
    },
    {
      "Sid": "AutoScaling",
      "Effect": "Allow",
      "Action": [
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:CreateLaunchConfiguration",
        "autoscaling:DeleteLaunchConfiguration"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SecurityGroups",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeSecurityGroups",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress"
      ],
      "Resource": "*"
    },
    {
      "Sid": "NetworkDiscovery",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeRouteTables"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMPassRole",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::*:role/ez-cdc-*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "ec2.amazonaws.com"
        }
      }
    },
    {
      "Sid": "IAMInstanceProfile",
      "Effect": "Allow",
      "Action": [
        "iam:CreateInstanceProfile",
        "iam:DeleteInstanceProfile",
        "iam:AddRoleToInstanceProfile",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:GetInstanceProfile"
      ],
      "Resource": "arn:aws:iam::*:instance-profile/ez-cdc-*"
    },
    {
      "Sid": "IAMWorkerRole",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:GetRole"
      ],
      "Resource": "arn:aws:iam::*:role/ez-cdc-*"
    }
  ]
}

What This Role Can Do

✅ Allowed:

• Create/terminate EC2 instances tagged with ManagedBy: ez-cdc
• Create/delete Auto Scaling Groups
• Create/delete security groups
• Read VPC and subnet information
• Create IAM roles prefixed with ez-cdc-

❌ Not Allowed:

• Access your databases
• Read S3 buckets (except ez-cdc-releases)
• Modify IAM policies not prefixed with ez-cdc-
• Create resources without ez-cdc tags
• Access any data

Worker Instance Role

This role is attached to worker EC2 instances.

Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permission Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3BinaryDownload",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::ez-cdc-releases/*"
      ]
    },
    {
      "Sid": "SSMSessionManager",
      "Effect": "Allow",
      "Action": [
        "ssm:UpdateInstanceInformation",
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/ez-cdc/*"
    }
  ]
}

What Workers Can Do

✅ Allowed:

• Download binaries from ez-cdc-releases S3 bucket
• Use SSM Session Manager (for troubleshooting)
• Write logs to CloudWatch (under /ez-cdc/ prefix)

❌ Not Allowed:

• Access any of your S3 buckets
• Access other AWS services
• Make IAM changes
• Access your databases via IAM (uses credentials)

Least Privilege Principles

Resource Constraints

Permissions are constrained by:

1. Resource ARN patterns: ez-cdc-* prefix
2. Tags: ManagedBy: ez-cdc
3. Conditions: Specific services only

Example Constraints

{
  "Effect": "Allow",
  "Action": "ec2:RunInstances",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:RequestTag/ManagedBy": "ez-cdc"  // Must have tag
    }
  }
}

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "arn:aws:iam::*:role/ez-cdc-*",  // Only ez-cdc roles
  "Condition": {
    "StringEquals": {
      "iam:PassedToService": "ec2.amazonaws.com"  // Only to EC2
    }
  }
}

Custom Restrictions

Restrict to Specific Regions

Modify the CloudFormation template:

{
  "Condition": {
    "StringEquals": {
      "aws:RequestedRegion": ["us-west-2", "us-east-1"]
    }
  }
}

Restrict to Specific VPCs

{
  "Condition": {
    "StringEquals": {
      "ec2:Vpc": "arn:aws:ec2:us-west-2:123456789:vpc/vpc-abc123"
    }
  }
}

Add Custom Tags

Require additional tags on resources:

{
  "Condition": {
    "StringEquals": {
      "aws:RequestTag/Environment": "production",
      "aws:RequestTag/CostCenter": "engineering"
    }
  }
}

Auditing IAM Usage

CloudTrail Events

Monitor role assumption:

{
  "eventName": "AssumeRole",
  "userIdentity": {
    "arn": "arn:aws:iam::830087179307:root"
  },
  "requestParameters": {
    "roleArn": "arn:aws:iam::YOUR_ACCOUNT:role/ez-cdc-deployment-role"
  }
}

IAM Access Analyzer

Use IAM Access Analyzer to:

• Identify unused permissions
• Review external access
• Validate policy changes

Service Control Policies (SCPs)

If using AWS Organizations, ensure SCPs allow:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEZCDC",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "autoscaling:*",
        "iam:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/ez-cdc-*"
        }
      }
    }
  ]
}

Best Practices

1. Use CloudFormation Template

Don't modify permissions manually—use the provided template.

2. Review Before Creating

Understand all permissions before creating the role.

3. Enable CloudTrail

Monitor all API calls made by EZ-CDC.

4. Regular Audits

Periodically review:

• Resources created by EZ-CDC
• IAM role usage patterns
• Permission boundaries

Next Steps

• AWS Setup
• Create Deployment