IAM Instance Profile

The DiscrimiNAT Firewall requires certain permissions to work effectively and these are included with our CloudFormation templates & Terraform modules. The following sections describe these in more detail for your review.

TL;DR

The following policy document is taken from our Terraform module and enables DiscrimiNAT for all its functions.

{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:logs:*:*:log-group:DiscrimiNAT:log-stream:*"
      ]
    },
    {
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeAddresses"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "ssm:GetParameter"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ssm:*:*:parameter/DiscrimiNAT*"
      ]
    },
    {
      "Action": [
        "ec2:ModifyInstanceAttribute",
        "ec2:AssociateAddress"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/discriminat": false
        }
      },
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

LOGGING

The DiscrimiNAT automatically logs config & flow events to CloudWatch. The following statement allows its instances to create and write to a log group called DiscrimiNAT.

{
  "Effect": "Allow",
  "Action": [
    "logs:CreateLogGroup",
    "logs:CreateLogStream",
    "logs:PutLogEvents",
    "logs:DescribeLogStreams"
  ],
  "Resource": [
    "arn:aws:logs:*:*:log-group:DiscrimiNAT:log-stream:*"
  ]
}

ALLOWLIST CONFIG

To form a complete picture of the VM instances and any serverless workloads in the VPC, such as Lambda, and their associated Security Groups' Rules, the DiscrimiNAT needs read access to these resources.

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribeSecurityGroups"
  ],
  "Resource": "*"
}

Allowlists may further be stored as Parameters in SSM or as Secrets in Secrets Manager. The following two examples may be used to allow DiscrimiNAT to read in the configuration stored in these.

{
  "Action": [
    "ssm:GetParameter"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:ssm:eu-west-2:111111111111:parameter/team-foo-allowed-fqdns",
    "arn:aws:ssm:eu-west-2:111111111111:parameter/service-foo-allowed-fqdns"
  ]
}

{
  "Action": [
    "secretsmanager:GetSecretValue"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:secretsmanager:eu-west-2:111111111111:secret:team-foo-allowed-fqdns",
    "arn:aws:secretsmanager:eu-west-2:111111111111:secret:service-foo-allowed-fqdns"
  ]
}

DEFAULT PREFERENCES

Global level, behavioural preferences are stored in an SSM Parameter named DiscrimiNAT. To allow for some creative flexibility with other Parameters that you may conceive prefixed with the word DiscrimiNAT (to store allowlists), a trailing wildcard to the name has been included in the supplied IAM Policy.

{
  "Action": [
    "ssm:GetParameter"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:ssm:*:*:parameter/DiscrimiNAT*"
  ]
}

ELASTIC IPs

If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.

tip

This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist them.

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeAddresses"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "ec2:AssociateAddress"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "aws:ResourceTag/discriminat": false
    }
  }
}

NAT

Since the DiscrimiNAT NATs (is the clue in the name?), it needs Source/Destination checks disabled. Sadly, this property cannot be set in the Launch Template of an Auto Scaling Group. Therefore, the DiscrimiNAT sets this property to the desired value of false on boot. The DiscrimiNAT instances themselves are tagged with the key discriminat to limit the scope of this permission.

{
  "Effect": "Allow",
  "Action": [
    "ec2:ModifyInstanceAttribute"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "aws:ResourceTag/discriminat": false
    }
  }
}

SELF-HEAL

info

This permission is only applicable and present in the ENI architecture, where a load balancer conducting health checks is absent. It is absent and not needed in an architecture with the Gateway Load Balancer (GWLB).

The DiscrimiNAT monitors its own health in an Auto Scaling Group. To report bad health to the platform, so the instance can be recycled, it needs a specific permission. It is restricted to Auto Scaling Groups with an expected name.

{
  "Effect": "Allow",
  "Action": "autoscaling:SetInstanceHealth",
  "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
}

TL;DR​

LOGGING​

ALLOWLIST CONFIG​

DEFAULT PREFERENCES​

ELASTIC IPs​

NAT​

SELF-HEAL​