Skip to content

Immuta Managed Cloud's Use of AWS IAM

To achieve complete resource isolation from other Immuta Managed Cloud subscribers, Immuta Managed Cloud provisions infrastructure resources within your AWS account and the most security-critical components of the service are served to you from your own AWS infrastructure. Consequently, Immuta Managed Cloud requires certain IAM privileges in your account.

Providing Credentials to Immuta

Immuta Managed Cloud requires you to provide a temporary AWS IAM role, which will be assumed by our system and used to create a set of IAM roles and policies that Immuta uses to provision and maintain your installation. Once the IAM roles are created, it is safe to delete the temporary role that you provided.

Below are the steps for creating the temporary role with the required policies.

Creating the Temporary IAM Role

  1. Go to the IAM Home Page and select Roles.
  2. At the top of the list of roles, click the Create role button.
  3. For the Selected type of trust entity options,

    • Select Another AWS account.
    • Enter 766223676658 in the Account ID field, and check the Require external ID option.
    • Enter a value for the External ID field, and leave the Require MFA option unchecked.
    • Click the Next: Permissions button.
  4. Click Next: Tags. Note: At this point you do not need to attach any policies, since you will create the policies for the role in the next section.

  5. Opt to give the role any tags required by your organization and click Next: Review.
  6. Name the role (e.g., Immuta-Temporary-Provisioning) and add a description.
  7. Finally, click the Create Role button.

Once the role is created, you will be returned to the list of roles screen. From here, click on the role you just created to view the details of the role. Note the Role ARN. This is the value, along with the External ID value you entered above, that you will provide during the Immuta provisioning process. If you do not remember the value for the External ID, you can find it under the Trust relationships tab in the Conditions section.

Creating the Role IAM Policy

The policy for the role can either be created as a customer-managed policy or as an inline policy. Since the role you created is temporary, you will create the policy inline, which will make cleanup easier.

  1. Go to the IAM Home Page, select Roles, and click on the role you created in the previous step from the list of roles.
  2. Click Add inline policy under the Permissions tab.
  3. Click the JSON tab, delete the existing editor contents, and paste in the policy statement shown below. Be sure to replace both occurrences of <YOUR_ACCOUNT_ID> with your account ID.

    JSON Policy Statement
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:AttachRolePolicy",
                    "iam:CreatePolicy",
                    "iam:CreatePolicyVersion",
                    "iam:CreateRole",
                    "iam:DeletePolicy",
                    "iam:DeletePolicyVersion",
                    "iam:DetachRolePolicy",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:ListPolicyVersions",
                    "iam:ListRolePolicies",
                    "iam:ListRoleTags",
                    "iam:TagRole",
                    "iam:UpdateAssumeRolePolicy"
                ],
                "Resource": [
                    "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/immuta/*",
                    "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/immuta/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:ListPolicies",
                    "iam:ListRoles"
                ],
                "Resource": "*"
            }
        ]
    }
    
  4. Name the policy (e.g.,Immuta-Temporary-Provisioning) and click the Create Policy button.

The Roles Immuta Creates

As indicated above, Immuta Managed Cloud creates and uses IAM roles to provision and manage the resources required for the instance of Immuta. The JSON object below is the policy document initially attached to these roles. As Immuta expands the capabilities of the managed service, the actions, effects, and resources in that document may be updated. Return to this page to see the current policy document.

JSON Policy Statement
{
  "policy_statement": [
    {
      "Action": [
        "autoscaling:AttachLoadBalancerTargetGroups",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DeleteTags",
        "autoscaling:Describe*",
        "autoscaling:DetachLoadBalancerTargetGroups",
        "autoscaling:DetachLoadBalancerTargetGroups",
        "autoscaling:DetachLoadBalancers",
        "autoscaling:SetDesiredCapacity",
        "autoscaling:UpdateAutoScalingGroup",
        "ec2:AcceptVpcEndpointConnections",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:AllocateAddress",
        "ec2:AssignIpv6Addresses",
        "ec2:AssignPrivateIpAddresses",
        "ec2:AssociateAddress",
        "ec2:AssociateDhcpOptions",
        "ec2:AssociateRouteTable",
        "ec2:AssociateSubnetCidrBlock",
        "ec2:AssociateVpcCidrBlock",
        "ec2:AttachClassicLinkVpc",
        "ec2:AttachInternetGateway",
        "ec2:AttachNetworkInterface",
        "ec2:AttachVpnGateway",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateCustomerGateway",
        "ec2:CreateDefaultSubnet",
        "ec2:CreateDefaultVpc",
        "ec2:CreateDhcpOptions",
        "ec2:CreateEgressOnlyInternetGateway",
        "ec2:CreateFlowLogs",
        "ec2:CreateInternetGateway",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CreateNatGateway",
        "ec2:CreateNetworkAcl",
        "ec2:CreateNetworkAclEntry",
        "ec2:CreateNetworkInterface",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateVpc",
        "ec2:CreateVpcEndpoint",
        "ec2:CreateVpcEndpointConnectionNotification",
        "ec2:CreateVpcEndpointServiceConfiguration",
        "ec2:CreateVpcPeeringConnection",
        "ec2:CreateVpnConnection",
        "ec2:CreateVpnConnectionRoute",
        "ec2:CreateVpnGateway",
        "ec2:DeleteCustomerGateway",
        "ec2:DeleteDhcpOptions",
        "ec2:DeleteEgressOnlyInternetGateway",
        "ec2:DeleteFlowLogs",
        "ec2:DeleteInternetGateway",
        "ec2:DeleteKeyPair",
        "ec2:DeleteLaunchTemplate",
        "ec2:DeleteLaunchTemplateVersions",
        "ec2:DeleteNatGateway",
        "ec2:DeleteNetworkAcl",
        "ec2:DeleteNetworkAclEntry",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteNetworkInterfacePermission",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DeleteVpc",
        "ec2:DeleteVpcEndpointConnectionNotifications",
        "ec2:DeleteVpcEndpointServiceConfigurations",
        "ec2:DeleteVpcEndpoints",
        "ec2:DeleteVpcPeeringConnection",
        "ec2:DeleteVpnConnection",
        "ec2:DeleteVpnConnectionRoute",
        "ec2:DeleteVpnGateway",
        "ec2:Describe*",
        "ec2:DetachClassicLinkVpc",
        "ec2:DetachInternetGateway",
        "ec2:DetachNetworkInterface",
        "ec2:DetachVpnGateway",
        "ec2:DisableVgwRoutePropagation",
        "ec2:DisableVpcClassicLink",
        "ec2:DisableVpcClassicLinkDnsSupport",
        "ec2:DisassociateAddress",
        "ec2:DisassociateRouteTable",
        "ec2:DisassociateSubnetCidrBlock",
        "ec2:DisassociateVpcCidrBlock",
        "ec2:EnableVgwRoutePropagation",
        "ec2:EnableVpcClassicLink",
        "ec2:EnableVpcClassicLinkDnsSupport",
        "ec2:GetLaunchTemplateData",
        "ec2:ImportKeyPair",
        "ec2:ModifyLaunchTemplate",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyVpcAttribute",
        "ec2:ModifyVpcEndpoint",
        "ec2:ModifyVpcEndpointConnectionNotification",
        "ec2:ModifyVpcEndpointServiceConfiguration",
        "ec2:ModifyVpcEndpointServicePermissions",
        "ec2:ModifyVpcPeeringConnectionOptions",
        "ec2:ModifyVpcTenancy",
        "ec2:MoveAddressToVpc",
        "ec2:RejectVpcEndpointConnections",
        "ec2:RejectVpcPeeringConnection",
        "ec2:ReleaseAddress",
        "ec2:ReplaceNetworkAclAssociation",
        "ec2:ReplaceNetworkAclEntry",
        "ec2:ReplaceRoute",
        "ec2:ReplaceRouteTableAssociation",
        "ec2:ResetNetworkInterfaceAttribute",
        "ec2:RestoreAddressToClassic",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:UnassignIpv6Addresses",
        "ec2:UnassignPrivateIpAddresses",
        "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
        "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
        "eks:*",
        "elasticfilesystem:CreateFileSystem",
        "elasticfilesystem:CreateMountTarget",
        "elasticfilesystem:CreateTags",
        "elasticfilesystem:DeleteFileSystem",
        "elasticfilesystem:DeleteMountTarget",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:ModifyTargetGroupAttributes",
        "iam:AddRoleToInstanceProfile",
        "iam:AttachRolePolicy",
        "iam:CreateInstanceProfile",
        "iam:CreatePolicy",
        "iam:CreateRole",
        "iam:CreateServiceLinkedRole",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRole",
        "iam:DetachRolePolicy",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListPolicies",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:UpdateAssumeRolePolicy",
        "iam:UpdatePolicy",
        "iam:UpdateRole"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}