Skip to main content

IAM Instance Profile

The DiscrimiNAT requires certain permissions to work effectively and these are included with our CloudFormation templates & Terraform modules. The following sections describe these in more detail for your review.

TL;DR

The following policy document is taken from our Terraform module and enables the DiscrimiNAT for all its functions.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:log-group:DiscrimiNAT:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAddresses"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/discriminat": false
}
}
}
]
}

LOGGING

The DiscrimiNAT automatically logs config & flow events to CloudWatch. The following statement allows its instances to create and write to a log group called DiscrimiNAT.

{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:log-group:DiscrimiNAT:log-stream:*"
]
}

ALLOWLIST CONFIG

To form a complete picture of the VM instances and any serverless workloads in the VPC, such as Lambda, and their associated Security Groups' Rules, the DiscrimiNAT needs read access to these resources.

{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}

ELASTIC IPs

If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.

tip

This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them.

{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AssociateAddress"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/discriminat": false
}
}
}

NAT

Since the DiscrimiNAT NATs (is the clue in the name?), it needs Source/Destination checks disabled. Sadly, this property cannot be set in the Launch Template of an Auto Scaling Group. Therefore, the DiscrimiNAT sets this property to the desired value of false on boot. The DiscrimiNAT instances themselves are tagged with the key discriminat to limit the scope of this permission.

{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/discriminat": false
}
}
}

SELF-HEAL

info

This permission is only applicable and present in the ENI architecture, where a load balancer conducting health checks is absent. It is absent and not needed in an architecture with the Gateway Load Balancer (GWLB).

The DiscrimiNAT monitors its own health in an Auto Scaling Group. To report bad health to the platform, so the instance can be recycled, it needs a specific permission. It is restricted to Auto Scaling Groups with an expected name.

{
"Effect": "Allow",
"Action": "autoscaling:SetInstanceHealth",
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
}