IAM Permissions

Table of Contents

• Overview

• Quick Start — Generate IAM Policy

• Minimum Required Permissions

• Permissions by Action

• Permission Scoping (Least Privilege)

• IAM Role Setup

• Security Best Practices

• Troubleshooting

• Additional Resources

Overview

The SG Provisioner requires specific IAM permissions to create and manage Security Groups via CloudFormation. This guide provides the minimum required permissions and best practices.

Quick Start — Generate IAM Policy

The SG Provisioner generates a tailored IAM policy for your configuration:

docker run --rm \
  -v ~/.aws:/home/sguser/.aws:ro \
  -v $(pwd)/sg/configs:/app/configs:ro \
  -v $(pwd)/sg/policies:/app/policies \
  -v $(pwd)/sg/reports:/app/reports \
  sg-provisioner:latest \
  --config my-config.yaml \
  --action create-policy

Output: policies/<sg-name>-iam-policy.json

---

Minimum Required Permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2SecurityGroupManagement",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:DescribeVpcs",
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": "arn:aws:ec2:<region>:<account-id>:*"
        },
        {
            "Sid": "CloudFormationManagement",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DetectStackDrift",
                "cloudformation:DescribeStackDriftDetectionStatus",
                "cloudformation:DescribeStackResourceDrifts"
            ],
            "Resource": "arn:aws:cloudformation:<region>:<account-id>:stack/*/*"
        },
        {
            "Sid": "SSMReadVPCParameters",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:<region>:<account-id>:parameter/vpc/<company-prefix>-*"
        },
        {
            "Sid": "SSMManageSGParameters",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath",
                "ssm:DeleteParameter",
                "ssm:AddTagsToResource"
            ],
            "Resource": "arn:aws:ssm:<region>:<account-id>:parameter/sg/<company-prefix>-*"
        }
    ]
}

---

Permissions by Action

Actions Requiring AWS Credentials for License Validation Only

These actions do not interact with AWS infrastructure but require AWS credentials for license validation:

Action	Description
validate-config	Validates YAML against schema
create-policy	Generates IAM policy JSON file
validate-prov-template	Validates template locally
create-review-report	Generates review HTML/YAML
list-scenarios	Lists available scenarios
show-scenario	Displays scenario details

Actions Requiring AWS Credentials for License Validation and Infrastructure Access

These actions require AWS credentials for both license validation and AWS infrastructure access:

Action	EC2	CloudFormation	SSM
create-prov-template	❌	❌	✅
create-security-groups	✅	✅	✅
delete-security-groups	✅	✅	✅
test-deploy	✅	✅	❌
show-changes	❌	✅	❌
check-drift	❌	✅	❌

✅ = requires permissions for this service. ❌ = no permissions required for this service.

---

Permission Scoping (Least Privilege)

SSM Split Permissions

The generated policy splits SSM permissions into two statements:

1. SSMReadVPCParameters — read-only access to /vpc/ path (resolve VPC ID)

2. SSMManageSGParameters — full CRUD on /sg/ path (store/delete SG IDs)

This ensures the SG provisioner cannot modify VPC parameters.

Scope by Region and Account

{
    "Resource": "arn:aws:ec2:us-west-2:123456789012:*"
}

Scope by Company Prefix

{
    "Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/sg/globalbank-*"
}

---

IAM Role Setup

Create Role

aws iam create-role \
  --role-name sg-provisioner-role \
  --assume-role-policy-document file://trust-policy.json

Attach Policy

aws iam create-policy \
  --policy-name SgProvisionerPolicy \
  --policy-document file://policies/globalbank-prod-c001-us-west-2-sg-iam-policy.json

aws iam attach-role-policy \
  --role-name sg-provisioner-role \
  --policy-arn arn:aws:iam::123456789012:policy/SgProvisionerPolicy

---

Security Best Practices

1. Use generated policy — always start with create-policy output

2. Scope to company prefix — limits blast radius

3. Separate roles per environment — dev, staging, prod

4. Enable MFA for production deployments

5. Rotate credentials every 90 days

6. Monitor with CloudTrail — audit all API calls

7. Use IAM roles over access keys when possible

---

Troubleshooting

Access Denied

# Check current identity
aws sts get-caller-identity

# Test EC2 permissions
aws ec2 describe-security-groups --max-results 5 --region us-west-2

# Test SSM permissions
aws ssm get-parameter --name /vpc/test/VPCId --region us-west-2

Policy Simulator

Test permissions without making changes: https://policysim.aws.amazon.com/

---

Additional Resources

• Configuration Reference

• Security Guidelines

• AWS IAM Best Practices