AWS restricted policy

As Administrator, you must include the AWS restricted policy in your IAM role to limit access to the environment. You must include this policy before you activate the environment in Cloudera Data Warehouse.

The AWS restricted policy associates a cross-account role with the environment. If you do not have a Ranger Authorized (RAZ)-enabled Data Lake, simply attach the AWS restricted policy to your cross-account role, and nothing more. If you do have a RAZ-enabled Data Lake, take the following actions:
  • Attach the AWS restricted policy described below to your cross-account role.
  • Add ARNs to the role or a new sid with appropriate permissions to the AWS restricted policy.

    For more information see "RAZ-enabled Data Lake restricted policy" below.

Attaching the policy to your cross-account role

The AWS restricted policy is split into two files because the content exceeds the AWS file size limit. To attach the policy to your cross-account role, you need to work with both files as described in the following steps:
  1. In the AWS management console, find the Cross-account IAM role you created.
  2. Go to the following Github links to get the restricted policy files without comments:
  3. Attach the policies to your IAM role.
  4. In the Restricted policy file1 without comments, replace ${DATALAKE_BUCKET} with the name of your S3 bucket. For example my-bucket.
  5. Attach both restricted policy file 1 and restricted policy file 2 without comments to your IAM role.

    Do not attempt to attach the policy files with comments as this would cause an error.

RAZ-enabled Data Lake restricted policy

The AWS restricted policy associates a cross-account role with the environment, as mentioned above. If you have a Ranger Authorized (RAZ)-enabled Data Lake, one of the following additions to either the cross-account role or cross-account json policy are required:
  • File 1 Append ARNs to role: To your cross-account restricted policy, in the existing sid "AttachRole ", append all policy ARNs attached to the RAZ role.
  • File 2 Add a new sid: Add "AttachRAZPolicyToNodeInstance" to the cross-account json policy

File 1 append ARNs to role

Append all the cross-account policy ARNS attached to the RAZ role to the sid key "AttachRole" value in your cross-account restricted policy.

{
      "Sid": "AttachRole",
      "Effect": "Allow",
      "Action": "iam:AttachRolePolicy",           
      "Resource": [
         "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
         "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
      ],
      "Condition": {
         "ForAnyValue:ArnEqualsIfExists": {
            "iam:PolicyARN": [
               "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
               "arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
               "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
               "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
               "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
               "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy"
               ...

            ]
         }
      }
   } 

Replace the ellipsis … placeholder above with all policy ARNs attached to the RAZ role as shown in the example below. See IAM policy definitions for more information about these policies.

arn:aws:iam::1234567:policy/aws-cdp-datalake-admin-s3-policy

arn:aws:iam::1234567:policy/aws-cdp-bucket-access-policy

arn:aws:iam::1234567:policy/aws-datalake-backup-policy

arn:aws:iam::1234567:policy/aws-datalake-restore-policy

File 2 Add sid to policy

Add the new sid "AttachRAZPolicyToNodeInstance" value to the cross-account json policy.

Make sure all the policies attached to RAZ/Data Lake Admin role are in the following regex pattern format:
${ANY_WILDCARD_REGEX}
Use the pattern as a value for the key "iam:PolicyARN" as shown in the example below:

Example policies attached to the RAZ/Data Lake Admin role

arn:aws:iam::1234567:policy/cdp-dev-datalake-admin-s3-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-bucket-access-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-backup-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-restore-policy

The regex is "arn:aws:iam::1234567:policy/cdp-dev-datalake*".

{
      "Sid": "AttachRAZPolicyToNodeInstance",
      "Effect": "Allow",
      "Action": "iam:AttachRolePolicy",
      "Resource": [
            "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
      ],
      "Condition": {
            "ForAnyValue:ArnLikeIfExists": {
                    "iam:PolicyARN": "arn:aws:iam::<AWS_ACCOUNT_ID>:policy/${ANY_WILDCARD_REGEX}"
            }
       }
 } 

For more information about using RAZ, see fine-grained access control and CDP policies documentation.