# AWS IAM Policies > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: AWS IAM Policies latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: authorization/cloud-iam-policies page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: authorization/cloud-iam-policies.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/security/pages/authorization/cloud-iam-policies.adoc description: See the IAM policies used by AWS. page-git-created-date: "2024-06-06" page-git-modified-date: "2024-10-21" --- When you run `rpk cloud byoc aws apply` to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the AWS API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. > 📝 **NOTE** > > - This page lists the IAM permissions Redpanda needs to create [BYOC clusters](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/aws/create-byoc-cluster-aws/). This does _not_ pertain to [BYOVPC clusters](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/aws/vpc-byo-aws/). > > - IAM permissions are not required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. ## [](#aws-iam-policies)AWS IAM policies IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services: - [Amazon Elastic Compute Cloud (AWS EC2)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html) - [Amazon Elastic Compute Cloud Auto Scaling (AWS EC2 Auto Scaling)](https://aws.amazon.com/ec2/autoscaling/) - [Amazon Simple Storage Service (AWS S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) - [Amazon Route 53](https://aws.amazon.com/route53/) - [Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html) ### [](#actions-allowed-with-wildcard-resources)Actions allowed with wildcard resources The following actions apply only to Redpanda agents with wildcard resources. RedpandaAgentActionsOnlyAllowedWithWildcardResources ```js statement { sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources" effect = "Allow" actions = [ "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "iam:ListPolicies", "iam:ListRoles", "iam:GetOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeTags", "autoscaling:DescribeTerminationPolicyTypes", "autoscaling:DescribeInstanceRefreshes", "autoscaling:DescribeLaunchConfigurations", "iam:CreateServiceLinkedRole", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup", "ec2:DescribePlacementGroups", "eks:DescribeNodegroup", "eks:DeleteNodegroup" ] resources = [ "*", ] } ``` ### [](#run-in-ec2-instances)Run in EC2 instances The following actions apply only to Redpanda agents running in AWS EC2 instances. RedpandaAgentEC2RunInstances ```js statement { sid = "RedpandaAgentEC2RunInstances" effect = "Allow" actions = [ "ec2:RunInstances", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:instance/*", "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", "arn:aws:ec2:*:${local.aws_account_id}:volume/*", "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:subnet/*", "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", "arn:aws:ec2:*::image/*", ] } ``` ### [](#delete-launch-templates)Delete launch templates The following actions apply only to Redpanda agents deleting AWS launch templates. RedpandaAgentEC2RunInstances ```js statement { sid = "RedpandaAgentLaunchTemplateDeletion" effect = "Allow" actions = [ "ec2:DeleteLaunchTemplate", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } ``` ### [](#manage-security-groups)Manage security groups The following actions apply only to Redpanda agents managing AWS security groups. RedpandaAgentSecurityGroups ```js statement { sid = "RedpandaAgentSecurityGroups" effect = "Allow" actions = [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:ModifySecurityGroupRules", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } ``` ### [](#manage-eks-clusters)Manage EKS clusters The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters. RedpandaAgentEKSCluster ```js statement { sid = "RedpandaAgentEKSCluster" effect = "Allow" actions = [ "eks:__", ] resources = [ "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}", ] } ``` ### [](#manage-instance-profiles)Manage instance profiles The following actions apply only to Redpanda agents managing AWS instance profiles. RedpandaAgentInstanceProfile ```js statement { sid = "RedpandaAgentInstanceProfile" effect = "Allow" actions = [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", ] resources = [ "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*", ] } ``` ### [](#create-eks-oidc-providers)Create EKS OIDC providers The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers. RedpandaAgentEKSOIDCProvider ```js statement { sid = "RedpandaAgentEKSOIDCProvider" effect = "Allow" actions = [ "iam:CreateOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:UntagOpenIDConnectProvider", ] resources = [ "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", ] } statement { sid = "RedpandaAgentEKSOIDCProviderCACertThumbprintUpdate" effect = "Allow" actions = [ "iam:UpdateOpenIDConnectProviderThumbprint", ] resources = [ "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com/id/*", ] condition { test = "StringEquals" variable = "aws:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } ``` ### [](#manage-iam-policies)Manage IAM policies The following actions apply only to Redpanda agents managing AWS IAM policies. RedpandaAgentIAMPolicies ```js statement { sid = "RedpandaAgentIAMPolicies" effect = "Allow" actions = [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:TagPolicy" ] resources = [ "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}", ] } ``` ### [](#manage-iam-roles)Manage IAM roles The following actions apply only to Redpanda agents managing AWS IAM roles. RedpandaAgentIAMRoleManagement ```js statement { sid = "RedpandaAgentIAMRoleManagement" effect = "Allow" actions = [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:TagRole", "iam:PassRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", ] resources = [ "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_", ] } ``` ### [](#manage-s3-buckets)Manage S3 buckets The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets. RedpandaAgentS3ManagementBucket ```js statement { sid = "RedpandaAgentS3ManagementBucket" effect = "Allow" actions = [ "s3:*", ] resources = [ data.aws_s3_bucket.management.arn, "${data.aws_s3_bucket.management.arn}/*", ] } ``` ### [](#manage-s3-cloud-bucket-storage)Manage S3 cloud bucket storage The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage. RedpandaAgentS3ManagementBucket ```js statement { sid = "RedpandaAgentS3CloudStorageBucket" effect = "Allow" actions = [ "s3:List*", "s3:Get*", "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", ] resources = [ local.redpanda_cloud_storage_bucket_arn, "${local.redpanda_cloud_storage_bucket_arn}/*", ] } ``` ### [](#manage-virtual-private-cloud-vpc)Manage virtual private cloud (VPC) The following actions apply only to Redpanda agents managing AWS VPCs. RedpandaAgentVPCManagement ```js statement { sid = "RedpandaAgentVPCManagement" effect = "Allow" actions = [ "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:CreateInternetGateway", "ec2:DeleteInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeInternetGateways", "ec2:CreateNatGateway", "ec2:DeleteNatGateway", "ec2:DescribeNatGateways", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:CreateRouteTable", "ec2:DeleteRouteTable", "ec2:DescribeRouteTables", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:DeleteSubnet", "ec2:DescribeSubnets", "ec2:CreateVpcEndpoint", "ec2:ModifyVpcEndpoint", "ec2:DeleteVpcEndpoints", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeAvailabilityZones", ] resources = [ "*", ] } ``` ### [](#delete-network-interface)Delete network interface The following actions apply only to Redpanda agents deleting AWS network interfaces. RedpandaAgentNetworkInterfaceDelete ```js statement { sid = "RedpandaAgentNetworkInterfaceDelete" effect = "Allow" actions = [ "ec2:DeleteNetworkInterface", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__", ] } ``` ### [](#create-vpc-peering)Create VPC peering The following actions apply only to Redpanda agents creating AWS VPC peering. RedpandaAgentVPCPeeringsCreate ```js statement { sid = "RedpandaAgentVPCPeeringsCreate" effect = "Allow" actions = [ "ec2:CreateVpcPeeringConnection", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } ``` ### [](#delete-vpc-peering)Delete VPC peering The following actions apply only to Redpanda agents deleting AWS VPC peering. RedpandaAgentVPCPeeringsDelete ```js statement { sid = "RedpandaAgentVPCPeeringsDelete" effect = "Allow" actions = [ "ec2:DeleteVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } ``` ### [](#manage-dynamodb-terraform-backend)Manage DynamoDB Terraform backend The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend. RedpandaAgentTFBackend ```js statement { sid = "RedpandaAgentTFBackend" effect = "Allow" actions = [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", ] resources = [ "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*", ] } ``` ### [](#manage-route-53)Manage Route 53 The following actions apply only to Redpanda agents managing the AWS Route 53 service. RedpandaAgentRoute53Management ```js statement { sid = "RedpandaAgentRoute53Management" effect = "Allow" actions = [ "route53:CreateHostedZone", "route53:GetChange", "route53:ChangeTagsForResource", "route53:GetHostedZone", "route53:ListTagsForResource", "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets", "route53:GetDNSSEC", "route53:DeleteHostedZone", ] resources = [ "*", ] } ``` ### [](#manage-auto-scaling)Manage Auto Scaling The following actions apply only to Redpanda agents managing the AWS Auto Scaling. RedpandaAgentAutoscaling ```js statement { sid = "RedpandaAgentAutoscaling" effect = "Allow" actions = [ "autoscaling:*", ] resources = [ "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*", "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*" ] } ```