Scoping AWS Permissions

AWS IAM roles are required for the functioning of the NSX Advanced Load Balancer Controller. These roles are specified in IAM Roles for Installation into AWS section. The policy files provided in this reference use a broader scope to apply the permissions. This section discusses the steps to create policy files for deployments where the scope of IAM roles has to be restricted to specific resources or types.

The scope of action in an AWS policy can be restricted in two ways:

Explicitly specifying the resource(s)
Specifying a condition

Resource(s) are specified using their ARN (Amazon Resource Name). Below are a couple of notations to specify ARN:

arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource

ARN has the following components:

Partition — Partition the aws resource is in. It can have three values.
- aws – Public AWS partition
- aws-cn – AWS China
- aws-us-gov – AWS Government Cloud
Service — The service namespace like S3, EC2, KMS, and IA.
Region — The region resources are in.
Account — The ID of the AWS account that owns the resource.
Resource, resourcetype/resource — This part points to the actual resource.

These AWS resources can be uniquely identified by their names. These resources are used to restrict the scope of the IAM permissions. For example,arn:aws:s3:::avi or arn:aws:iam:::role/vmimport.

But, for the resources that can not be uniquely identified using resource names like EC2 resources, ARN is made up using resource id, and since a resource ID is not known in advance, these resources can be used to restrict IAM permissions. In this case, the conditions in the policy document are used to restrict permissions.

In the example below, the tag key for AviCloud_UUID is used to restrict the permission of a user or a role. This policy makes sure that a user or a role can only perform the specified operations on the resources that have the resource tag key set as AVICLOUD_UUID.

   {
   
   "Sid": "VisualEditor1",
   
   "Effect": "Allow",
   
   "Action": [
   
   "ec2:RebootInstances",
   
   "ec2:TerminateInstances",
   
   "ec2:StartInstances",
   
   "ec2:StopInstances"
   
   ],
   
   "Resource": "*",
   
   "Condition": {
   
   "StringLike": {
   
   "ec2:ResourceTag/AVICLOUD_UUID": "*"
   
   }}}

Note:

Resource-based restrictions are available for S3 and IAM permissions, and condition-based restrictions are available for EC2 write permissions.

Scoping AWS Permissions Using JSON Policies

IAM Policies	Tag Values which can be modified
avicontroller-ec2-policy.json	cloud_name:cloud_uuid
avicontroller-s3-policy.json	new_se_prefix
avicontroller-r53-policy.json	hosted_zone_id
avicontroller-iam-policy.json	custom-avi-<service(ec2/s3…)>
avicontroller-kms-policy.json	key_id_to_be_used

avicontroller-ec2-policy.json — It is used to create an IAM policy without any modification. Permissions for this policy are restricted based on the resource tag key. For further restriction, modify the policy file and add the desired value for the tag key. In this case, the permissions apply only to the resources that have the same tag key and the tag value. The tag value should be in the format cloud_name:cloud_uuid. : Replace the specific tag value as per the deployment.

Note:

Replace the <specific_tag_value> value as per the deployment.

{
     
"Sid": "VisualEditor0",
     
"Effect": "Allow",
     
"Action": [
     
"ec2:AuthorizeSecurityGroupEgress",
     
"ec2:AuthorizeSecurityGroupIngress",
     
"ec2:DeleteSecurityGroup",
     
"ec2:DeleteTags",
     
"ec2:RebootInstances",
     
"ec2:RevokeSecurityGroupIngress",
     
"ec2:StartInstances",
     
"ec2:StopInstances",
     
"ec2:TerminateInstances",
     
"ec2:RevokeSecurityGroupEgress"
     
],
     
"Resource": "*",
     
"Condition": {
     
"StringLike": {
     
"ec2:ResourceTag/AVICLOUD_UUID": "<specific_tag_value>"
     
}
     
}
     
},

avicontroller-s3-policy.json — The bucket name is derived from the Service Engine name prefix, configured in the Service Engine Group. The default SE name prefix is NSX Advanced Load Balancer, so the bucket name starts with avi (converting the prefix to lowercase). If the SE prefix value is changed, use the same value but in lowercase.

Note:
Replace thenew_se_prefix value as per the deployment.
```
   {
    
   "Sid": "VisualEditor2",
    
   "Effect": "Allow",
    
   "Action": [
    
   "s3:AbortMultipartUpload",
    
   "s3:DeleteObject",
    
   "s3:ListMultipartUploadParts",
    
   "s3:GetObject",
    
   "s3:PutObject"
    
   ],
    
   "Resource": "arn:aws:s3:::<new_se_prefix>-se-*/*"
    
   }
```
avicontroller-r53-policy.json— Use this policy to restrict R53 permissions. The JSON file is updated with the ID of the Route53-hosted zone. The selected zone is used for the registration and de-registration of VIPs and FIPs. In the example snippet shown below, the policy restricts the above two permissions to hosted_zone_id.

Note:
Replace the <hosted_zone_id> value as per the deployment.
```
{
 
"Sid": "VisualEditor0",
 
"Effect": "Allow",
 
"Action": [
 
"route53:ChangeResourceRecordSets",
 
"route53:ListResourceRecordSets"
 
],
 
"Resource": [
 
"arn:aws:route53:::hostedzone/<hosted_zone_id>"
 
]
 
},
```

avicontroller-iam-policy.json— This policy file must be updated with the correct role_name, instance_profile_name (same as the role name), and the common prefix of created policies using IAM Role Setup for Installation into AWS. In the example snippet shown below, for an NSX Advanced Load Balancer Controller role name – CustomAviRole , policies are created with the common prefix – custom-avi-<service(ec2/s3…)>.

Note:

Replace the prefix value as per the deployment.

    {
     
    "Version": "2012-10-17",
     
    "Statement": [
     
    {
     
    "Sid": "VisualEditor0",
     
    "Effect": "Allow",
     
    "Action": [
     
    "iam:GetPolicy",
     
    "iam:GetPolicyVersion",
     
    "iam:ListPolicyVersions"
     
    ],
     
    "Resource": [
     
    "arn:aws:iam::*:role/CustomAviRole",
     
    "arn:aws:iam::*:policy/custom-avi-*"
     
    ]
     
    },
     
    {
     
    "Sid": "VisualEditor1",
     
    "Effect": "Allow",
     
    "Action": [
     
    "iam:GetInstanceProfile",
     
    "iam:GetRole",
     
    "iam:GetRolePolicy",
     
    "iam:ListAttachedRolePolicies",
     
    "iam:ListRolePolicies"
     
    ],
     
    "Resource": [
     
    "arn:aws:iam::*:instance-profile/CustomAviRole",
     
    "arn:aws:iam::*:policy/custom-avi-*",
     
    "arn:aws:iam::*:role/vmimport",
     
    "arn:aws:iam::*:role/CustomAviRole"
     
    ]
     
    },
     
    {
     
    "Sid": "VisualEditor2",
     
    "Effect": "Allow",
     
    "Action": [
     
    "iam:ListPolicies",
     
    "iam:ListRoles"
     
    ],
     
    "Resource": "*"
     
    }
     
    ]
     
    }

avicontroller-kms-policy.json — This policy is used to enable S3/EBS encryption. Permissions on KMS Encryption keys can be managed by using both resource-based policies or IAM policies. To restrict IAM policies, a specific key ID can be provided. Or, the same permissions can be directly applied to the KMS key under the Key Policy section.

Note:
Replace the <key_id_to_be_used> value as per the deployment.
```
{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"kms:CreateGrant",

"kms:Decrypt",

"kms:DescribeKey",

"kms:GenerateDataKey",

"kms:GenerateDataKeyWithoutPlaintext",

"kms:ReEncryptFrom",

"kms:ReEncryptTo"

],

"Resource": "arn:aws:kms:::key/<key_id_to_be_used>"

}
```
avicontroller-kms-vmimport.json — This policy is used to create an IAM policy and attached to vmimport role, or it can be directly applied to the KMS key.
avicontroller-asg-policy.json — This policy is used for autoscaling groups configured on NSX Advanced Load Balancer.
avicontroller-sqs-sns-policy.json — This policy is used to enable SQS-SNS monitoring for autoscaling group.