IAM Instance Profile
The discrimiNAT requires certain permissions to work effectively and these are included with our CloudFormation templates & Terraform modules. The following sections describe these in more detail for your review.
TL;DR
The following policy document is taken from our Terraform module and enables the discrimiNAT for all its functions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:log-group:discrimiNAT:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": "autoscaling:SetInstanceHealth",
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAddresses",
"ec2:AssociateAddress"
],
"Resource": "*"
}
]
}
LOGGING
The discrimiNAT automatically logs config & flow events to CloudWatch. The following statement allows its instances to create and write to a log group called discrimiNAT
.
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:log-group:discrimiNAT:log-stream:*"
]
}
SELF-HEAL
The discrimiNAT monitors its own health in an Auto Scaling Group. To report bad health to the platform, so the instance can be recycled, it needs a specific permission. It is restricted to Auto Scaling Groups with an expected name.
caution
If you change the Auto Scaling Groups' naming pattern, the Resource
property will need to be updated to match that.
{
"Effect": "Allow",
"Action": "autoscaling:SetInstanceHealth",
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/discriminat-*"
}
ALLOWLIST CONFIG
To form a complete picture of the VM instances and any serverless workloads in the VPC, such as Lambda, and their associated Security Groups' Rules, the discrimiNAT needs read access to these resources.
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
ELASTIC IPs
From v2.4 onwards, if a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat
(set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.
tip
This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them.
An EC2 VPC Endpoint is needed for this mechanism to work though – since making the association needs access to the EC2 API. In the aws_vpc Terraform example, this is demonstrated by deploying the endpoint along with the VPC.
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:AssociateAddress"
],
"Resource": "*"
}
It is always possible to not choose this mechanism and have a Public IP associated with the network interfaces of the discrimiNAT right from the onset. This also used to be the case before v2.4 of the discrimiNAT.