Merge pull request #11 from psychic-spoon/patch-1

DWX-17929: Update restricted-policy / reduced policy for start/stop EKS
cloudera · Apr 1, 2024 · 1dd233a · 1dd233a
2 parents d3467d0 + 74ae652
commit 1dd233a
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 5 deletions.
diff --git a/aws-iam-policies/docs/restricted-policy-doc-1.json5 b/aws-iam-policies/docs/restricted-policy-doc-1.json5
@@ -293,6 +293,23 @@
         // Upgrade needs old/new instance status
       ],
       "Resource": "*"
+    },
+    {
+            "Sid": "StartStopRDS",
+            "Effect": "Allow",
+            "Action": [
+                "rds:StartDBInstance",
+                // Stop RDS Instance while stopping the cluster
+                "rds:StopDBInstance",
+                // Start RDS Instance while starting the cluster
+                "rds:DescribeDBInstances"
+                // Describe RDBS (postgres) instance created by
+                // cf, used to detect quota of DB instance
+            ],
+            "Resource": [
+                "arn:aws:rds:*:*:db:env-*-dwx-stack-rds",
+                "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*"
+            ]
     }
   ]
-}
+}
diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5
@@ -130,9 +130,6 @@
         "rds:CreateDBInstance",
         // The RDBS (postgres) created to store dwx
         // cluster info during activation
-        "rds:DescribeDBInstances",
-        // Describe RDBS (postgres) instance created by
-        // cf, used to detect quota of DB instance
         "rds:CreateDBSubnetGroup",
         // The DBSubnetGroup created during activation
         "rds:DescribeDBSubnetGroups",
@@ -256,4 +253,4 @@
       }
     }
   ]
-}
+}
diff --git a/aws-iam-policies/reduced-permissions-mode.json b/aws-iam-policies/reduced-permissions-mode.json
@@ -148,6 +148,19 @@
                 "s3:PutObjectAcl"
             ],
             "Resource": "*"
+        },
+        {
+            "Sid": "StartStopRDS",
+            "Effect": "Allow",
+            "Action": [
+                "rds:StartDBInstance",
+                "rds:StopDBInstance",
+                "rds:DescribeDBInstances"
+            ],
+            "Resource": [
+                "arn:aws:rds:*:*:db:env-*-dwx-stack-rds",
+                "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*"
+            ]
         }
     ]
 }