IAM Policies for Poolside Deployment on AWS

This document outlines the IAM policies created as part of the Poolside self-managed deployment solution in AWS. These policies are designed to follow the principle of least privilege while enabling the necessary functionality for each component.

EKS Pod Role

The EKS Pod role ([deployment-prefix]-eks-pod-role) is used by the Kubernetes pods running the Poolside application. This role enables the application to interact with AWS services securely.

S3 Access Policy

Component: Core application pods
Actions:

s3:ListBucket - Allows listing objects in the Poolside S3 bucket
s3:GetObject, s3:PutObject - Allows reading and writing objects in the Poolside S3 bucket

Resources: Limited to the specific Poolside S3 bucket
Purpose: Enables the application to store and retrieve user data and application assets

AWS Marketplace Metering Policy

Component: Core application pods
Actions:

aws-marketplace:MeterUsage - Allows reporting metering records to AWS Marketplace

Resources: All resources (*)
Purpose: Enables usage-based billing for marketplace deployments

KMS Access Policy

Component: Core application pods
Actions:

kms:Decrypt - Allows decryption of encrypted data
kms:GenerateDataKey - Allows generation of data encryption keys
kms:GenerateDataKeyWithoutPlaintext - Allows generation of encrypted data keys

Resources: Limited to the specific KMS key ARN used by the deployment
Purpose: Enables secure encryption/decryption of sensitive data

Bedrock Access Policies

Bedrock Read-Only Policy

Component: Core application pods
Actions:

bedrock:GetFoundationModel, bedrock:ListFoundationModels, bedrock:ListCustomModels - Allows discovery of available models

Resources: All resources (*)
Purpose: Enables the application to discover available foundation and custom models

Bedrock Model Invocation Policy

Component: Core application pods
Actions:

bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream - Allows invoking Bedrock models

Resources: Limited to foundation and custom model ARNs
Purpose: Enables the application to use Amazon Bedrock for AI inference

Bedrock Customization Job Policy

Component: Core application pods
Actions:

bedrock:CreateModelCustomizationJob, bedrock:GetModelCustomizationJob, bedrock:StopModelCustomizationJob - Allows management of model customization jobs
iam:PassRole - Allows passing the customization job role

Resources: Limited to specific customization job resources and roles

Bastion Host Policies

The bastion host is a secure EC2 instance used for deployment management and administrative tasks.

ECR Access Policy

Component: Bastion host
Actions: Comprehensive ECR permissions including:

ecr:PutImageTagMutability, ecr:GetDownloadUrlForLayer, ecr:ListTagsForResource
ecr:UploadLayerPart, ecr:ListImages, ecr:PutImage, ecr:UntagResource
ecr:BatchGetImage, ecr:CompleteLayerUpload, ecr:DescribeImages
ecr:TagResource, ecr:DescribeRepositories, ecr:InitiateLayerUpload
ecr:DescribeRegistry, ecr:GetAuthorizationToken

Resources: Limited to ECR repositories with the pattern poolside-[deployment-name]
Purpose: Allows the bastion host to manage container images for deployment

Cognito Management Policy

Component: Bastion host
Actions: Comprehensive Cognito management including:

User pool creation, deletion, and modification
User pool client configuration
Domain management
MFA configuration

Resources: All resources (*)
Purpose: Enables management of user authentication services

SSM Parameter Store Management Policy

Component: Bastion host
Actions:

ssm:PutParameter, ssm:DeleteParameter, ssm:GetParametersByPath
ssm:GetParameters, ssm:GetParameter, ssm:DeleteParameters

Resources: Limited to parameters under /poolside/deployment/*
Purpose: Enables secure storage and retrieval of configuration parameters

ACM Read Policy

Component: Bastion host
Actions:

acm:DescribeCertificate, acm:GetCertificate
acm:ListCertificates, acm:ListTagsForCertificate

Resources: All resources (*)
Purpose: Allows reading certificate information for HTTPS configuration

Terraform State Policy

Component: Bastion host
Actions:

dynamodb:PutItem, dynamodb:GetItem, dynamodb:DeleteItem

Resources: All resources (*)
Purpose: Enables locking and state management for Terraform operations

Bastion Host Default Policy

Component: Bastion host
Actions: Extensive permissions for AWS resource management including EC2, IAM, S3, KMS, and more
Resources: All resources (*)
Purpose: Enables infrastructure management for deployment operations

Load Balancer Controller Policy

Component: AWS Load Balancer Controller
Actions: Managed by AWS module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks
Resources: Various AWS resources related to load balancing
Purpose: Enables the Kubernetes ingress controller to provision and manage AWS Application Load Balancers

Kubernetes Security Configurations

IAM Policies for Poolside Deployment on AWS
EKS Pod Role
S3 Access Policy
AWS Marketplace Metering Policy
KMS Access Policy
Bedrock Access Policies
Bedrock Read-Only Policy
Bedrock Model Invocation Policy
Bedrock Customization Job Policy
Bastion Host Policies
ECR Access Policy
Cognito Management Policy
SSM Parameter Store Management Policy
ACM Read Policy
Terraform State Policy
Bastion Host Default Policy
Load Balancer Controller Policy