Document toolboxDocument toolbox

Permissions required for EC2 role

Owned by Sarabjeet Kaur
Last updated: Nov 17, 2023 by NIDHI BHANDARI
6 min read

Applies to: Kyvos Enterprise  Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace   Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

This section presents the list of permission required for the EC2 role.

Permissions required for Automated CloudFormation template-based deployment

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based access
(if any)

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based access
(if any)

Fetching list and describing resources (instances, output, etc.) created from CloudFormation Stack

"cloudformation:DetectStackSetDrift","cloudformation:ListExports","cloudformation:DescribeStackDriftDetectionStatus","cloudformation:DetectStackDrift","cloudformation:ListStackSetOperations","cloudformation:ListStackInstances", "cloudformation:ListTypes", "cloudformation:DescribeStackResource", "cloudformation:ListStackSetOperationResults", "cloudformation:DetectStackResourceDrift", "cloudformation:EstimateTemplateCost", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackSetOperation", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeChangeSet", "cloudformation:ListStackResources", "cloudformation:ListStacks", "cloudformation:DescribeType", "cloudformation:ListImports", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackResources", "cloudformation:DescribeTypeRegistration", "cloudformation:GetTemplateSummary", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResourceDrifts", "cloudformation:GetStackPolicy",  "cloudformation:DescribeStackSet",  "cloudformation:ListStackSets",  "cloudformation:GetTemplate",  "cloudformation:ValidateTemplate",  "cloudformation:ListChangeSets",  "cloudformation:ListTypeVersions"

Listing and describing resources created in CloudFormation Stack.

In the absence of this permission, automated deployment from Kyvos Manager will fail as it won’t be able to get the list of resources to be used for deployment.

Shift to wizard-based deployment.

Stack only with Tag key as UsedBy and value as Kyvos will be listed."aws:ResourceTag/UsedBy": "Kyvos"

Fetching information about existing resources fetched from CloudFormation Stack

"ec2:DescribeInstances","ec2:DescribeNetworkInterfaces","ec2:DescribeVolumes","ec2:DescribeInstanceStatus","rds:DescribeDBInstances","elasticmapreduce:DescribeCluster","elasticmapreduce:ListBootstrapActions"

Describe EC2 instances status, EC2 instance volumes, RDS instances, and EMR cluster.

In the absence of this permission, the Kyvos Manager will not be able to fetch and populate the list of existing resources and add them to the dropdown list. It will have an impact mainly on usability and efforts required to configure resources and role mapping.

Add Hadoop information and instances manually to Kyvos Manager.

Resources only with Tag key as UsedBy and value as Kyvos will be listed.

"aws:ResourceTag/UsedBy": "Kyvos"Note: Only the following support conditional based access:

“ec2:DescribeNetworkInterfaces"

"elasticmapreduce:DescribeCluster"

"elasticmapreduce:ListBootstrapActions"

Other IAM actions do not support this.

Adding tags to existing resources of CloudFormation Stack

"ec2:DescribeTags","ec2:CreateTags","rds:AddTagsToResource","rds:ListTagsForResource","elasticmapreduce:AddTags"

Deploying cluster using pre-created resources by the user who has created on its own (i.e. not created from CloudFormation template downloaded from the Kyvos Manager).

In the absence of this permission, the Kyvos Manager will not be able to add tags on cluster resources using which cluster is getting deployed.

KM_CLUSTER_ID tag can be added manually to all the instances add services manually.

Resources only with Tag key as UsedBy and value as Kyvos will be listed.

"aws:ResourceTag/UsedBy": "Kyvos"

Get the bucket location

"s3:GetBucketLocation"

Fetch the location of the S3 bucket used in deployment. All the other S3 permissions are provided at the bucket policy.

In the absence of this permission, KM_CLUSTER_ID won’t be added to the S3 bucket.

KM_CLUSTER_ID tag can be added manually to the S3 bucket.



Schedule start of BI Server: Configure schedule value in Cloudwatch Event

"events:PutRule","events:PutTargets"

Configure the rule and target value in Cloudwatch Event.

In the absence of this permission, the Schedule Scaling feature won’t be able to bring up the BI Server after an offline schedule has been triggered.





Creation and termination of On-demand EMR cluster

"elasticmapreduce:PutAutoScalingPolicy","elasticmapreduce:DescribeCluster","elasticmapreduce:ListInstanceGroups","elasticmapreduce:DescribeStep","elasticmapreduce:ListInstances","elasticmapreduce:RunJobFlow","elasticmapreduce:TerminateJobFlows","elasticmapreduce:ModifyInstanceGroups" 

Create an EMR cluster when the semantic model process is triggered.

In the absence of this permission, the EMR cluster won’t be created.

Using an External EMR cluster for semantic model processing  activity.

Resources only with Tag key as UsedBy and value as Kyvos will be listed."aws:ResourceTag/UsedBy": "Kyvos"Note: Only the "elasticmapreduce:ListClusters" doesn’t support conditional based access. Other IAM actions support this.

List EMR and RDS versions

"elasticmapreduce:ListClusters", "elasticmapreduce:ListReleaseLabels rds:DescribeDBEngineVersions"

List the EMR and RDS versions while creating CFT from the Kyvos Manager

The CFT will be created without EMR and RDS versions, so user will not be able to select any version while creating stack.





Cost Explorer usage

"ce:GetCostAndUsage"

Get resource-wise usage cost of each of the services.

In the absence of this permission Cost usage feature will not work.





Stop RDS

"rds:StopDBInstance"

Stop the RDS instance when the offline schedule is triggered.

In the absence of this permission, RDS won’t be stopped.

Start RDS manually every time a schedule started.

Resources only with Tag key as UsedBy and value as Kyvos will be listed.

"aws:ResourceTag/UsedBy": "Kyvos"

Start and stop EC2 instances

"ec2:StopInstances","ec2:StartInstances","ec2:DescribeInstanceStatus",“ec2:ModifyInstanceAttribute”

Start and stop of EC2 instances on respective schedule up and schedule down events.

In absence of this permission Scheduled scaling feature will not work.



Resources only with Tag key as UsedBy and value as Kyvos will be listed.

"aws:ResourceTag/UsedBy": "Kyvos"

Attach EC2 role to EMR instances

 "iam:PassRole"       

Attach an IAM role to instances launched by EMR.

In the absence of this permission, EMR cluster creation will fail.





Permissions for Glue

 "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetPartitions", "glue:GetTables", "glue:GetUserDefinedFunctions"

Preview and refine SQL based datasets when EMR is down.

In the absence of this permission, EMR with Glue enabled will not work.





Publish bootstrap logs of EC2 instances to CloudWatch

"logs:CreateLogStream","logs:PutLogEvents","logs:CreateLogGroup"

Create a log group for publishing bootstrap logs of EC2 instances

In the absence of this permission, bootstrap logs won’t get published to CloudWatch





Get and update secrets from Secrets Manager 

"secretsmanager:UntagResource", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:TagResource", "secretsmanager:UpdateSecret" 

List the secret and update existing secrets 

In the absence of this permission, Kyvos won’t be able to get secrets or update any of the existing secrets. 



Resources only with Tag key as UsedBy and value as Kyvos will be listed "secretsmanager:ResourceTag/UsedBy": "Kyvos" 

Get and update secrets from Secrets Manager 

NOTE: With Deploy with Enhanced Security Enabled

ssm:GetParameter "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DescribeParameters"

List the secret and update existing secrets

In the absence of this permission, Kyvos won’t be able to get secrets or update any of the existing secrets. 



Resources only with Tag key as UsedBy and value as Kyvos will be listed. "ssm:resourceTag/UsedBy": "Kyvos"
Note: Only the following support conditional based access: "ssm:GetParameter" " Other IAM actions do not support this.

Validate Kyvos stack resources for deployment



Describe and get the details of VPC and IAM policies attached to EC2 machines 

In the absence of this permission, Kyvos Manager won’t be able to perform validation on the resources that will be used as Kyvos Components 





Additional permissions required for Wizard based deployment

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based Access

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based Access

Fetching list of existing stacks in AWS environment (List Stack)

 "cloudformation:ListStacks"

Listing of existing stacks in used AWS account.

In the absence of this permission, the KyvosManager will not be able to fetch and populate the list of stacks and add them to the dropdown list.

It will have an impact mainly on usability & efforts required to configure resources and role mapping.

Users will need to key in/ type the information related to resources.



Permissions required for working of Kyvos Manager template creation wizard

 "ec2:DescribeInstanceTypeOfferings",

  "ec2:DescribeRegions",

  "ec2:DescribeInstanceTypes"

Creation of the CloudFormation template for creating various services required by Kyvos.

In the absence of this permission, the Kyvos Manager Template creation wizard will not work.

Deploy Kyvos using traditional Kyvos Manager-based deployment.



Permissions required by Lambda role

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based Access

Purpose

Permissions required 

Scenario(s) for which this permission is required 

Impact of not granting permission 

Alternate plan (if any)

Conditional based Access

Publish logs of Lambda to CloudWatch

"logs:CreateLogStream",

"logs:PutLogEvents",

"logs:CreateLogGroup"

Create a log group for publishing Lambda logs.

In the absence of this permission, Lambda logs will not be published to CloudWatch.





Check RDS Status and start it

 "rds:StartDBInstance""rds:DescribeDBInstances"

Check RDS status and start RDS instance

In the absence of this permission, the schedule up will not work.

Start RDS manually every time an offline schedule gets over.

Resources only with Tag key as UsedBy and value as Kyvos will be listed.

"aws:ResourceTag/UsedBy": "Kyvos"

Starting EC2 instances

"ec2:StartInstances", 

"ec2:DescribeInstanceStatus", 

"ec2:DescribeInstances" 

Start EC2 instances on schedule up events.

In the absence of this permission, the Scheduled scale-up feature will not work.



Resources only with Tag key as UsedBy and value as Kyvos will be listed

"aws:ResourceTag/UsedBy": "Kyvos"
Note: Only "ec2:StartInstances" supports conditional based access. Other IAM actions do not support this.

Get token for Force start of Kyvos cluster from Secrets Manager 

secretsmanager:GetSecretValue 

Get the token stored in Secrets Manager used as a mutual authentication token used for force start of Kyvos Cluster. 

In the absence of this permission, won’t be able to fetch token from the Secrets Manager and match it with the user-provided token. 



Resources only with Tag key as UsedBy and value as Kyvos will be listed.
"secretsmanager:ResourceTag/UsedBy ": "Kyvos" 

Get token for Force start of Kyvos cluster from Secrets Manager
NOTE: With Deploy with Enhanced Security Enabled

"ssm:DescribeParameters", "ssm:GetParameter"

Get the token stored in Secrets Manager used as a mutual authentication token used for force start of Kyvos Cluster.

In the absence of this permission, won’t be able to fetch token from the Secrets Manager and match it with the user-provided token.





Additional permissions required for raw data querying over Athena

Purpose 

Permissions required  

Scenario(s) for which this permission is required  

Impact of not granting permission  

Alternate plan (if any) 

Conditional based Access 

Purpose 

Permissions required  

Scenario(s) for which this permission is required  

Impact of not granting permission  

Alternate plan (if any) 

Conditional based Access 

Allow kyvos to connect to athena, run sql query and fetch query result 

"athena:GetWorkGroup", "athena:StartQueryExecution", "athena:GetQueryResultsStream", "athena:StopQueryExecution",  "athena:GetQueryExecution",   "athena:GetQueryResults",      "athena:GetDataCatalog", "athena:ListWorkGroups" 

When Athena is selected as default sql engine 

Without this permission, raw data querying will fail on Athena. 

 

 

Allow Athenato read external files stored on s3 while running query and store query result into configured s3 bucket 

"s3:ListBucket",  

"s3:PutObject",  

"s3:GetObject", 

 

When queries are run over external tables having data stored in s3  

In the absence of this permission, Athena will not be able to read table data from s3  

 

S3:PutObject permission is required on buckets when a workgroup-defined or user-defined S3 location is configured. 

S3:GetObject permission is required to read all external data files on which tables are created, and the same tables are queried. 

Allow Athena to perfom catalogoperations or security checks before executing the query 

"glue:GetDatabase",  

"glue:GetTables",  

"glue:GetPartitions",  

"glue:GetDatabases",  

"glue:GetSchema",  

"glue:GetTable" 

 

When Tables in glue catalog will be queried using Athena 

In the absence of this permission, end user will not be able run queries using Athena on glue catalog  

 

 

Permissions required for external repository RDS 

From Kyvos 2023.2 onwards, for AWS, the following RDS permissions will be required to upgrade IAM roles using a shared template.

Purpose 

Permissions required  

Scenario(s) for which this permission is required  

Impact of not granting permission  

Alternate plan (if any) 

Conditional based Access 

Purpose 

Permissions required  

Scenario(s) for which this permission is required  

Impact of not granting permission  

Alternate plan (if any) 

Conditional based Access 

To automate the back up and restoration process of external repository RDS during rollback and upgrade 

“rds:DescribeDBInstances” 

"rds:StopDBInstance" 

"rds:DescribeDBSnapshots" 

"rds:CreateDBSnapshot" 

"rds:RestoreDBInstanceFromDBSnapshot"

"rds:DeleteDBInstance” 

When Kyvos use an external repository RDS 

Without this permission, the backup and restoration process will not be automated. 

If this fails, you need to manually  backup and restore the external repository RDS 

 



Copyright Kyvos, Inc. All rights reserved.