AWS IAM Role and Policy Requirements
IAM users must have certain rights in order to allow Batfish Enterprise to poll the relevant information from the API. These access rights are documented in this section. If you are using the CloudFormation templates for setting up Batfish Enterprise, you do not need to configure the permissions manually.
To retrieve your AWS configuration and state from the main account, Batfish Enterprise needs the AWS managed ReadOnlyAccess policy.
To send logs to CloudWatch, it uses an AWS managed CloudWatchAgentServerPolicy policy.
To allow cross-account access, Batfish Enterprise needs the ability to assume the batfish-enterprise-read-only role in your secondary accounts. It also needs the ability to manage its persistent EC2 volume so service configuration and some network data can persist across upgrades. The primary CloudFormation template will create and use the BfEServiceRolePolicy, with the following permissions:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/batfish-enterprise-read-only",
"Effect": "Allow",
"Sid": "AssumeCrossAccountRoles"
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow",
"Sid": "AttachVolume"
}
]
}
In your secondary accounts, the secondary CloudFormation template creates the batfish-enterprise-read-only role, attaches the AWS managed ReadOnlyAccess policy to it, and configures the trust relationship with the main account. The JSON content of the trust relationship is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::insert_your_main_account_number:root"
},
"Action": "sts:AssumeRole"
}
]
}