Skip to main content

IAM Instance Profile

The discrimiNAT requires certain permissions to work effectively and these are included with our CloudFormation templates & Terraform modules. The following sections describe these in more detail for your review.

TL;DR

The following policy document is taken from our Terraform module and enables the discrimiNAT for all its functions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:discrimiNAT:log-stream:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:SetInstanceHealth",
      "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeAddresses",
        "ec2:AssociateAddress"
      ],
      "Resource": "*"
    }
  ]
}

LOGGING

The discrimiNAT automatically logs config & flow events to CloudWatch. The following statement allows its instances to create and write to a log group called discrimiNAT.

{
  "Effect": "Allow",
  "Action": [
    "logs:CreateLogGroup",
    "logs:CreateLogStream",
    "logs:PutLogEvents",
    "logs:DescribeLogStreams"
  ],
  "Resource": [
    "arn:aws:logs:*:*:log-group:discrimiNAT:log-stream:*"
  ]
}

SELF-HEAL

The discrimiNAT monitors its own health in an Auto Scaling Group. To report bad health to the platform, so the instance can be recycled, it needs a specific permission. It is restricted to Auto Scaling Groups with an expected name.

caution

If you change the Auto Scaling Groups' naming pattern, the Resource property will need to be updated to match that. 

{
  "Effect": "Allow",
  "Action": "autoscaling:SetInstanceHealth",
  "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
}

ALLOWLIST CONFIG

To form a complete picture of the VM instances and any serverless workloads in the VPC, such as Lambda, and their associated Security Groups' Rules, the discrimiNAT needs read access to these resources.

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribeSecurityGroups"
  ],
  "Resource": "*"
}

ELASTIC IPs

From v2.4 onwards, if a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.

tip

This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them.

An EC2 VPC Endpoint is needed for this mechanism to work though – since making the association needs access to the EC2 API. In the aws_vpc Terraform example, this is demonstrated by deploying the endpoint along with the VPC.

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeAddresses",
    "ec2:AssociateAddress"
  ],
  "Resource": "*"
}

It is always possible to not choose this mechanism and have a Public IP associated with the network interfaces of the discrimiNAT right from the onset. This also used to be the case before v2.4 of the discrimiNAT.