What Permissions Does an Implementer Need?

Overview

When connecting Sym with your AWS account, you will need to be authenticated to AWS to create resources such as AWS IAM roles. This page documents the minimum permissions required to apply the various AWS resources needed when implementing Sym

๐Ÿ‘

You can check these permissions yourself!

The permissions listed on this page were generated with tflocal and iamlive, as described in our blog post: Tools that Use AWS Logs to Help with Least Privilege

Runtime Connector Role

To apply the Terraform resources defined in AWS Runtime Setup, the following permissions are required:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAndReadIAMRoleAndPolicies",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteIAMRolesAndPolicies",
            "Effect": "Allow",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeleteRole"
                "iam:DetachRolePolicy",
            ],
            "Resource": "*"
        }
    ]
}

Secrets Manager

If you are managing your secrets with AWS Secrets Manager, the following permissions are required in addition to the permissions in the Runtime Connector Role section above:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAndReadSecretsManagerSecrets",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteSecretsManagerSecret",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DeleteSecret"
            ],
            "Resource": "*"
        }
    ]
}