IAM Roles for HA

AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the VM-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the VM-Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions required to move interfaces or secondary IP addresses from the active peer to the passive peer when failover is triggered.
For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must have permissions for the following actions and resources (at a minimum):
The following IAM actions, permissions, and resources are required to enable HA. To enable AWS Cloudwatch monitoring, see Enable CloudWatch Monitoring on the VM-Series Firewall
for the required IAM action.
IAM Action, Permission, or Resource
Description
Interface Move
Secondary IP Move
AttachNetworkInterface
For permission to attach an ENI to an instance.
check-mark.png
check-mark.png
DescribeNetworkInterfaces
For fetching the ENI parameters in order to attach an interface to the instance.
check-mark.png
check-mark.png
DetachNetworkInterface
For permission to detach the ENI from the EC2 instance.
check-mark.png
check-mark.png
DescribeInstances
For permission to obtain information on the EC2 instances in the VPC.
check-mark.png
check-mark.png
AssociateAddress
For permissions to move public IP addresses associated with the primary IP addresses from the passive to active interfaces.
check-mark.png
AssignPrivateIpAddresses
For permissions to assign secondary IP addresses and associated public IP addresses to interfaces on the passive peer.
check-mark.png
DescribeRouteTables
For permission to retrieve all route tables associated to the VM-Series firewall instances.
check-mark.png
ReplaceRoute
For permissions to update the AWS route table entries.
check-mark.png
GetPolicyVersion
For permission to retrieve AWS policy version information.
check-mark.png
GetPolicy
For permission to retrieve AWS policy information.
check-mark.png
ListAttachedRolePolicies
For permission to retrieve the list of all managed policies attached to a specified IAM role.
check-mark.png
ListRolePolicies
For permission to retrieve a list of the names of inline policies embedded in a specified IAM role.
check-mark.png
GetRolePolicy
For permission to retrieve a specified inline policy embedded in a specified IAM role.
check-mark.png
policy
For permission to access the IAM policy Amazon Resource Name (ARN).
check-mark.png
role
For permission to access the IAM roles ARN.
check-mark.png
route-table
For permission to access the route table Amazon Resource Name (ARN) to update it upon failover.
check-mark.png
Wild card (*)
In the ARN field use the * as a wild card.
check-mark.png
check-mark.png
The following screenshot shows the access management settings for the IAM role described above for secondary-IP HA:
IAM_permissions_create.PNG
IAM_permissions_secondary_ip_ha.png
The minimum permissions you need for interface move HA are:
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces"],"Resource": "*"}]}
The minimum permissions you need for secondary IP move HA are: {"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces", “ec2:AssignPrivateIpAddresses”,“ec2:AssociateAddress”,“ec2:DescribeRouteTables”],"Resource": "*"}{"Sid": "VisualEditor1","Effect": "Allow","Action": "ec2:ReplaceRoute", "Resource": "arn:aws:ec2:*:*:route-table/*"}]}

Recommended For You