What Permissions Does an Implementer Need?
Overview
When connecting Sym with your AWS account, you will need to be authenticated to AWS to create resources such as AWS IAM roles. This page documents the minimum permissions required to apply the various AWS resources needed when implementing Sym
You can check these permissions yourself!
The permissions listed on this page were generated with
tflocalandiamlive, as described in our blog post: Tools that Use AWS Logs to Help with Least Privilege
Runtime Connector Role
To apply the Terraform resources defined in AWS Runtime Setup, the following permissions are required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAndReadIAMRoleAndPolicies",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies"
],
"Resource": "*"
},
{
"Sid": "DeleteIAMRolesAndPolicies",
"Effect": "Allow",
"Action": [
"iam:DeletePolicy",
"iam:DeleteRole"
"iam:DetachRolePolicy",
],
"Resource": "*"
}
]
}
Secrets Manager
If you are managing your secrets with AWS Secrets Manager, the following permissions are required in addition to the permissions in the Runtime Connector Role section above:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAndReadSecretsManagerSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
],
"Resource": "*"
},
{
"Sid": "DeleteSecretsManagerSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:DeleteSecret"
],
"Resource": "*"
}
]
}
Updated about 2 months ago