IAM Roles for HA

AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the VM-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the VM-Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions for detaching and attaching network interfaces from the active peer in an HA pair to the passive peer when a failover is triggered.
For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must have permissions for the following actions and resources (at a minimum):
  • AttachNetworkInterface—For permission to attach an ENI to an instance.
  • DescribeNetworkInterface—For fetching the ENI parameters in order to attach an interface to the instance.
  • DetachNetworkInterface—For permission to detach the ENI from the EC2 instance.
  • DescribeInstances—For permission to obtain information on the EC2 instances in the VPC.
  • Wild card (*)—In the Amazon Resource Name (ARN) field use the * as a wild card.
The following screenshot shows the access management settings for the IAM role described above:
IAM_permissions_create.PNG
IAM_permissions.PNG
The permissions you need are: {"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces"],"Resource": "*"}]}

Related Documentation