Skip to content

AWS IAM Roles

This document explains the details of the IAM roles created by the CloudFormation template used in the previous section.

The CloudFormation template creates the following three (3) IAM roles and one (1) CloudWatch Event rule:

  • ValtixControllerRole - Used by the Valtix Controller to connect to your AWS cloud account
  • ValtixFirewallRole - Used by the Valtix Gateway instances running in your cloud account to access S3, SecretsManager, KMS
  • ValtixCloudWatchEventRole - Used by the CloudWatch Event Rule to transfer inventory changes to the Valtix Controller
  • ValtixCloudWatchEventRule - A rule created on CloudWatch Events to transfer inventory changes to the Valtix Controller. The rule assumes the ValtixCloudWatchEventRole defined above provides permissions to transfer CloudWatch Events

ValtixControllerRole

Cross-account IAM role that allows the Valtix Controller to access your cloud account and take necessary actions e.g. Create EC2 instances, create load balancers, and change Route53 entries. The service principal is the valtix-controller-account with an external id applied. Here is the IAM policy applied to the role (e.g controller role name used in this example is valtix-controller-role):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aacm:ListCertificates",
                "apigateway:GET",
                "ec2:*",
                "elasticloadbalancing:*",
                "events:DeleteRule",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "globalaccelerator:*",
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "logs:*",
                "route53resolver:*",
                "servicequotas:GetServiceQuota",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "wafv2:Get*",
                "wafv2:List*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<valtix-account>:role/valtix-controller-role"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3Bucket>/*"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<customer-account>:role/valtix_firewall_role"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/*"
        }
    ]
}

Service Principal:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                "arn:aws:iam::<valtix-account>:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "valtix-external-id"
                }
            }
        }
    ]
}

ValtixFirewallRole

Role that is assigned to the Valtix Gateway (Firewall) EC2 instances. The role gives the Gateway instance capabilities to access secretsmanager where the private keys for the application are stored, ability to decrypt keys using AWS KMS if the keys are stored in KMS, and save objects like PCAPs and technical support data onto a S3 bucket. The service principal of this role is ec2.amazonaws.com. Here is the IAM policy applied to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Tip

You can download and edit the CloudFormation template to make the policy more restrictive e.g. restricting decrypt to use a specific key, or PutObject to a defined/specific S3 bucket.

ValtixCloudWatchEventRole

Role that is used for dynamic inventory purposes and provides the capability for the CloudTrail events to be transferred to the Controller's AWS account. Service Principal is events.amazonaws.com. Here is the policy applied to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "events:PutEvents",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:events:*:<valtix-account>:event-bus/default"
            ]
        }
    ]
}

ValtixCloudWatchEventRule

Rule that is added to the CloudWatch Events to put all CloudTrail inventory changes to EC2 and API gateways to be copied to the event bus on the AWS account where the Controller runs. This rule is executed using the ValtixCloudWatchEventRole created above.

Custom Event Pattern:

{
    "detail-type": [
        "AWS API Call via CloudTrail",
        "EC2 Instance State-change Notification"
    ],
    "source": [
        "aws.ec2",
        "aws.elasticloadbalancing",
        "aws.apigateway"
    ]
}

Target:

Event Bus in another AWS Account (valtix-account) using the ValtixCloudWatchEventRole