CN-Series
IAM Roles for HA
Table of Contents
IAM Roles for HA
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
AWS requires that all API requests must be cryptographically
signed using credentials issued by them. In order to enable API
permissions for the CN-Series firewalls that will be deployed as
an HA pair, you must create a policy and attach that policy to a
role in the AWS Identity and Access Management
(IAM) service. The role must be attached to the CN-Series
firewalls at launch. The policy gives the IAM role permissions for
initiating API actions required to move interfaces or secondary
IP addresses from the active peer to the passive peer when failover
is triggered.
For detailed instructions on creating policy, refer to the AWS
documentation on Creating Customer Managed Policies.
For detailed instructions on creating an IAM role, defining which
accounts or AWS services can assume the role, defining which API
actions and resources the application can use upon assuming the role,
refer to the AWS documentation on IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must
have permissions for the following actions and resources (at a minimum):
The following IAM actions, permissions, and resources are required
to enable HA.
| IAM Action, Permission, or Resource | Description | Secondary IP Move |
|---|---|---|
AttachNetworkInterface | For permission to attach an ENI to an instance. | 
|
DescribeNetworkInterfaces | For fetching the ENI parameters in order to attach an interface to the instance. |
|
DetachNetworkInterface | For permission to detach the ENI from the
EC2 instance. |
|
DescribeInstances | For permission to obtain information on the
EC2 instances in the VPC. |
|
AssociateAddress | For permissions to move public IP addresses
associated with the primary IP addresses from the passive to active interfaces. |
|
AssignPrivateIpAddresses | For permissions to assign secondary IP addresses
and associated public IP addresses to interfaces on the passive
peer. |
|
DescribeRouteTables | For permission to retrieve all route tables associated
to the CN-Series firewall instances. |
|
ReplaceRoute | For permissions to update the AWS route table
entries. |
|
| GetPolicyVersion | For permission to retrieve AWS policy version information. |
|
| GetPolicy | For permission to retrieve AWS policy information. |
|
| ListAttachedRolePolicies | For permission to retrieve the list of all managed policies attached to a specified IAM role. |
|
| ListRolePolicies | For permission to retrieve a list of the names of inline policies embedded in a specified IAM role. |
|
| GetRolePolicy | For permission to retrieve a specified inline policy embedded in a specified IAM role. |
|
| policy | For permission to access the IAM policy Amazon
Resource Name (ARN). |
|
role | For permission to access the IAM roles ARN. |
|
route-table | For permission to access the route table Amazon
Resource Name (ARN) to update it upon failover. |
|
Wild card (*) | In the ARN field use the * as a wild card. |
|
The following screenshot shows the access management settings
for the IAM role described above for secondary-IP HA:
The minimum permissions you need for secondary IP move HA are:
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect":
"Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces",
“ec2:AssignPrivateIpAddresses”,“ec2:AssociateAddress”,“ec2:DescribeRouteTables”],"Resource": "*"}{"Sid":
"VisualEditor1","Effect": "Allow","Action": "ec2:ReplaceRoute", "Resource":
"arn:aws:ec2:*:*:route-table/*"}]}