Docs Cloud Security Authorization AWS IAM Policies AWS IAM Policies Redpanda automatically assigns IAM policies to the Redpanda Cloud agent when it is deployed. The permissions grant the agent access to the BYOC cluster. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. See also: BYOC architecture This page lists the IAM permissions Redpanda needs to create a BYOC cluster. No IAM permissions are required for Redpanda Cloud users. AWS IAM policies IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services: Amazon Elastic Compute Cloud (AWS EC2) Amazon Elastic Compute Cloud Auto Scaling (AWS EC2 Auto Scaling) Amazon Simple Storage Service (AWS S3) Amazon Route 53 Amazon DynamoDB Actions allowed with wildcard resources The following actions apply only to Redpanda agents with wildcard resources. RedpandaAgentActionsOnlyAllowedWithWildcardResources statement { sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources" effect = "Allow" actions = [ "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "iam:ListPolicies", "iam:ListRoles", "iam:GetOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeTags", "autoscaling:DescribeTerminationPolicyTypes", "autoscaling:DescribeInstanceRefreshes", "autoscaling:DescribeLaunchConfigurations", "iam:CreateServiceLinkedRole", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup", "ec2:DescribePlacementGroups" ] resources = [ "*", ] } Run in EC2 instances The following actions apply only to Redpanda agents running in AWS EC2 instances. RedpandaAgentEC2RunInstances statement { sid = "RedpandaAgentEC2RunInstances" effect = "Allow" actions = [ "ec2:RunInstances", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:instance/*", "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", "arn:aws:ec2:*:${local.aws_account_id}:volume/*", "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:subnet/*", "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", "arn:aws:ec2:*::image/*", ] } Delete launch templates The following actions apply only to Redpanda agents deleting AWS launch templates. RedpandaAgentEC2RunInstances statement { sid = "RedpandaAgentLaunchTemplateDeletion" effect = "Allow" actions = [ "ec2:DeleteLaunchTemplate", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } Manage security groups The following actions apply only to Redpanda agents managing AWS security groups. RedpandaAgentSecurityGroups statement { sid = "RedpandaAgentSecurityGroups" effect = "Allow" actions = [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:ModifySecurityGroupRules", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } Manage EKS clusters The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters. RedpandaAgentEKSCluster statement { sid = "RedpandaAgentEKSCluster" effect = "Allow" actions = [ "eks:__", ] resources = [ "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}", ] } Manage instance profiles The following actions apply only to Redpanda agents managing AWS instance profiles. RedpandaAgentInstanceProfile statement { sid = "RedpandaAgentInstanceProfile" effect = "Allow" actions = [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", ] resources = [ "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*", ] } Create EKS OIDC providers The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers. RedpandaAgentEKSOIDCProvider statement { sid = "RedpandaAgentEKSOIDCProvider" effect = "Allow" actions = [ "iam:CreateOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:UntagOpenIDConnectProvider", ] resources = [ "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", ] } Manage IAM policies The following actions apply only to Redpanda agents managing AWS IAM policies. RedpandaAgentIAMPolicies statement { sid = "RedpandaAgentIAMPolicies" effect = "Allow" actions = [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:TagPolicy" ] resources = [ "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}", ] } Manage IAM roles The following actions apply only to Redpanda agents managing AWS IAM roles. RedpandaAgentIAMRoleManagement statement { sid = "RedpandaAgentIAMRoleManagement" effect = "Allow" actions = [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:TagRole", "iam:PassRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", ] resources = [ "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_", ] } Manage S3 buckets The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets. RedpandaAgentS3ManagementBucket statement { sid = "RedpandaAgentS3ManagementBucket" effect = "Allow" actions = [ "s3:*", ] resources = [ data.aws_s3_bucket.management.arn, "${data.aws_s3_bucket.management.arn}/*", ] } Manage S3 cloud bucket storage The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage. RedpandaAgentS3ManagementBucket statement { sid = "RedpandaAgentS3CloudStorageBucket" effect = "Allow" actions = [ "s3:List*", "s3:Get*", "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", ] resources = [ local.redpanda_cloud_storage_bucket_arn, "${local.redpanda_cloud_storage_bucket_arn}/*", ] } Manage virtual private cloud (VPC) The following actions apply only to Redpanda agents managing AWS VPCs. RedpandaAgentVPCManagement statement { sid = "RedpandaAgentVPCManagement" effect = "Allow" actions = [ "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:CreateInternetGateway", "ec2:DeleteInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeInternetGateways", "ec2:CreateNatGateway", "ec2:DeleteNatGateway", "ec2:DescribeNatGateways", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:CreateRouteTable", "ec2:DeleteRouteTable", "ec2:DescribeRouteTables", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:DeleteSubnet", "ec2:DescribeSubnets", "ec2:CreateVpcEndpoint", "ec2:ModifyVpcEndpoint", "ec2:DeleteVpcEndpoints", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeAvailabilityZones", ] resources = [ "*", ] } Delete network interface The following actions apply only to Redpanda agents deleting AWS network interfaces. RedpandaAgentNetworkInterfaceDelete statement { sid = "RedpandaAgentNetworkInterfaceDelete" effect = "Allow" actions = [ "ec2:DeleteNetworkInterface", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__", ] } Create VPC peering The following actions apply only to Redpanda agents creating AWS VPC peering. RedpandaAgentVPCPeeringsCreate statement { sid = "RedpandaAgentVPCPeeringsCreate" effect = "Allow" actions = [ "ec2:CreateVpcPeeringConnection", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } Delete VPC peering The following actions apply only to Redpanda agents deleting AWS VPC peering. RedpandaAgentVPCPeeringsDelete statement { sid = "RedpandaAgentVPCPeeringsDelete" effect = "Allow" actions = [ "ec2:DeleteVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } Manage DynamoDB Terraform backend The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend. RedpandaAgentTFBackend statement { sid = "RedpandaAgentTFBackend" effect = "Allow" actions = [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", ] resources = [ "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*", ] } Manage Route 53 The following actions apply only to Redpanda agents managing the AWS Route 53 service. RedpandaAgentRoute53Management statement { sid = "RedpandaAgentRoute53Management" effect = "Allow" actions = [ "route53:CreateHostedZone", "route53:GetChange", "route53:ChangeTagsForResource", "route53:GetHostedZone", "route53:ListTagsForResource", "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets", "route53:GetDNSSEC", "route53:DeleteHostedZone", ] resources = [ "*", ] } Manage Auto Scaling The following actions apply only to Redpanda agents managing the AWS Auto Scaling. RedpandaAgentAutoscaling statement { sid = "RedpandaAgentAutoscaling" effect = "Allow" actions = [ "autoscaling:*", ] resources = [ "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*", "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*" ] } Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Cloud Authorization Azure IAM Policies