AWS IAM Policies

Redpanda automatically assigns IAM policies to the Redpanda Cloud agent when it is deployed. The permissions grant the agent access to the BYOC cluster.

  • This page lists the IAM permissions Redpanda needs to create BYOC clusters. This does not pertain to BYOVPC clusters.

  • No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters.

AWS IAM policies

IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services:

Actions allowed with wildcard resources

The following actions apply only to Redpanda agents with wildcard resources.

RedpandaAgentActionsOnlyAllowedWithWildcardResources
statement {
   sid    = "RedpandaAgentActionsOnlyAllowedWithWildcardResources"
   effect = "Allow"
   actions = [
     "ec2:CreateTags",
     "ec2:DescribeAccountAttributes",
     "ec2:DescribeImages",
     "ec2:DescribeInstances",
     "ec2:DescribeInstanceTypes",
     "ec2:CreateLaunchTemplate",
     "ec2:CreateLaunchTemplateVersion",
     "ec2:DescribeLaunchTemplateVersions",
     "ec2:DescribeLaunchTemplates",
     "iam:ListPolicies",
     "iam:ListRoles",
     "iam:GetOpenIDConnectProvider",
     "iam:DeleteOpenIDConnectProvider",
     "autoscaling:DescribeScalingActivities",
     "autoscaling:DescribeAutoScalingGroups",
     "autoscaling:DescribeTags",
     "autoscaling:DescribeTerminationPolicyTypes",
     "autoscaling:DescribeInstanceRefreshes",
     "autoscaling:DescribeLaunchConfigurations",
     "iam:CreateServiceLinkedRole",
     "ec2:CreatePlacementGroup",
     "ec2:DeletePlacementGroup",
     "ec2:DescribePlacementGroups"
   ]
   resources = [
     "*",
   ]
 }

Run in EC2 instances

The following actions apply only to Redpanda agents running in AWS EC2 instances.

RedpandaAgentEC2RunInstances
statement {
   sid    = "RedpandaAgentEC2RunInstances"
   effect = "Allow"
   actions = [
     "ec2:RunInstances",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:instance/*",
     "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*",
     "arn:aws:ec2:*:${local.aws_account_id}:volume/*",
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:subnet/*",
     "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*",
     "arn:aws:ec2:*::image/*",
   ]
 }

Delete launch templates

The following actions apply only to Redpanda agents deleting AWS launch templates.

RedpandaAgentEC2RunInstances
statement {
   sid    = "RedpandaAgentLaunchTemplateDeletion"
   effect = "Allow"
   actions = [
     "ec2:DeleteLaunchTemplate",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage security groups

The following actions apply only to Redpanda agents managing AWS security groups.

RedpandaAgentSecurityGroups
statement {
   sid    = "RedpandaAgentSecurityGroups"
   effect = "Allow"
   actions = [
     "ec2:AuthorizeSecurityGroupEgress",
     "ec2:AuthorizeSecurityGroupIngress",
     "ec2:CreateSecurityGroup",
     "ec2:DeleteSecurityGroup",
     "ec2:RevokeSecurityGroupEgress",
     "ec2:RevokeSecurityGroupIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
     "ec2:ModifySecurityGroupRules",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Manage EKS clusters

The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

RedpandaAgentEKSCluster
statement {
   sid    = "RedpandaAgentEKSCluster"
   effect = "Allow"
   actions = [
     "eks:__",
   ]
   resources = [
     "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}",
   ]
 }

Manage instance profiles

The following actions apply only to Redpanda agents managing AWS instance profiles.

RedpandaAgentInstanceProfile
statement {
   sid    = "RedpandaAgentInstanceProfile"
   effect = "Allow"
   actions = [
     "iam:AddRoleToInstanceProfile",
     "iam:RemoveRoleFromInstanceProfile",
     "iam:CreateInstanceProfile",
     "iam:DeleteInstanceProfile",
     "iam:GetInstanceProfile",
     "iam:TagInstanceProfile",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*",
   ]
 }

Create EKS OIDC providers

The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers.

RedpandaAgentEKSOIDCProvider
statement {
   sid    = "RedpandaAgentEKSOIDCProvider"
   effect = "Allow"
   actions = [
     "iam:CreateOpenIDConnectProvider",
     "iam:TagOpenIDConnectProvider",
     "iam:UntagOpenIDConnectProvider",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
   ]
 }

Manage IAM policies

The following actions apply only to Redpanda agents managing AWS IAM policies.

RedpandaAgentIAMPolicies
statement {
   sid    = "RedpandaAgentIAMPolicies"
   effect = "Allow"
   actions = [
     "iam:CreatePolicy",
     "iam:DeletePolicy",
     "iam:GetPolicy",
     "iam:GetPolicyVersion",
     "iam:ListPolicyVersions",
     "iam:TagPolicy"
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}",
   ]
 }

Manage IAM roles

The following actions apply only to Redpanda agents managing AWS IAM roles.

RedpandaAgentIAMRoleManagement
statement {
   sid    = "RedpandaAgentIAMRoleManagement"
   effect = "Allow"
   actions = [
     "iam:CreateRole",
     "iam:DeleteRole",
     "iam:AttachRolePolicy",
     "iam:DetachRolePolicy",
     "iam:GetRole",
     "iam:TagRole",
     "iam:PassRole",
     "iam:ListAttachedRolePolicies",
     "iam:ListInstanceProfilesForRole",
     "iam:ListRolePolicies",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_",
   ]
 }

Manage S3 buckets

The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets.

RedpandaAgentS3ManagementBucket
statement {
   sid    = "RedpandaAgentS3ManagementBucket"
   effect = "Allow"
   actions = [
     "s3:*",
   ]
   resources = [
     data.aws_s3_bucket.management.arn,
     "${data.aws_s3_bucket.management.arn}/*",
   ]
 }

Manage S3 cloud bucket storage

The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage.

RedpandaAgentS3ManagementBucket
 statement {
   sid    = "RedpandaAgentS3CloudStorageBucket"
   effect = "Allow"
   actions = [
     "s3:List*",
     "s3:Get*",
     "s3:CreateBucket",
     "s3:DeleteBucket",
     "s3:PutBucketPolicy",
     "s3:DeleteBucketPolicy",
   ]
   resources = [
     local.redpanda_cloud_storage_bucket_arn,
     "${local.redpanda_cloud_storage_bucket_arn}/*",
   ]
 }

Manage virtual private cloud (VPC)

The following actions apply only to Redpanda agents managing AWS VPCs.

RedpandaAgentVPCManagement
statement {
   sid    = "RedpandaAgentVPCManagement"
   effect = "Allow"
   actions = [
     "ec2:DescribeVpcs",
     "ec2:DescribeVpcAttribute",
     "ec2:DescribeSecurityGroups",
     "ec2:CreateInternetGateway",
     "ec2:DeleteInternetGateway",
     "ec2:AttachInternetGateway",
     "ec2:DescribeInternetGateways",
     "ec2:CreateNatGateway",
     "ec2:DeleteNatGateway",
     "ec2:DescribeNatGateways",
     "ec2:CreateRoute",
     "ec2:DeleteRoute",
     "ec2:CreateRouteTable",
     "ec2:DeleteRouteTable",
     "ec2:DescribeRouteTables",
     "ec2:AssociateRouteTable",
     "ec2:CreateSubnet",
     "ec2:DeleteSubnet",
     "ec2:DescribeSubnets",
     "ec2:CreateVpcEndpoint",
     "ec2:ModifyVpcEndpoint",
     "ec2:DeleteVpcEndpoints",
     "ec2:DescribeVpcEndpoints",
     "ec2:DescribeVpcEndpointServices",
     "ec2:DescribeVpcPeeringConnections",
     "ec2:ModifyVpcPeeringConnectionOptions",
     "ec2:DescribeNetworkAcls",
     "ec2:DescribeNetworkInterfaces",
     "ec2:AttachNetworkInterface",
     "ec2:DetachNetworkInterface",
     "ec2:DescribeAvailabilityZones",
   ]
   resources = [
     "*",
   ]
 }

Delete network interface

The following actions apply only to Redpanda agents deleting AWS network interfaces.

RedpandaAgentNetworkInterfaceDelete
statement {
   sid    = "RedpandaAgentNetworkInterfaceDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteNetworkInterface",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__",
   ]
 }

Create VPC peering

The following actions apply only to Redpanda agents creating AWS VPC peering.

RedpandaAgentVPCPeeringsCreate
statement {
   sid    = "RedpandaAgentVPCPeeringsCreate"
   effect = "Allow"
   actions = [
     "ec2:CreateVpcPeeringConnection",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Delete VPC peering

The following actions apply only to Redpanda agents deleting AWS VPC peering.

RedpandaAgentVPCPeeringsDelete
statement {
   sid    = "RedpandaAgentVPCPeeringsDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteVpcPeeringConnection",
     "ec2:ModifyVpcPeeringConnectionOptions",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage DynamoDB Terraform backend

The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend.

RedpandaAgentTFBackend
statement {
   sid    = "RedpandaAgentTFBackend"
   effect = "Allow"
   actions = [
     "dynamodb:GetItem",
     "dynamodb:PutItem",
     "dynamodb:DeleteItem",
   ]
   resources = [
     "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*",
   ]
 }

Manage Route 53

The following actions apply only to Redpanda agents managing the AWS Route 53 service.

RedpandaAgentRoute53Management
statement {
   sid    = "RedpandaAgentRoute53Management"
   effect = "Allow"
   actions = [
     "route53:CreateHostedZone",
     "route53:GetChange",
     "route53:ChangeTagsForResource",
     "route53:GetHostedZone",
     "route53:ListTagsForResource",
     "route53:ListResourceRecordSets",
     "route53:ChangeResourceRecordSets",
     "route53:GetDNSSEC",
     "route53:DeleteHostedZone",
   ]
   resources = [
     "*",
   ]
 }

Manage Auto Scaling

The following actions apply only to Redpanda agents managing the AWS Auto Scaling.

RedpandaAgentAutoscaling
statement {
   sid    = "RedpandaAgentAutoscaling"
   effect = "Allow"
   actions = [
     "autoscaling:*",
   ]
   resources = [
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*",
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*"
   ]
 }