Article

Minimum IAM privileges for a Data Productivity Cloud Customer Hosted Agent (CHA) on AWS.

This article describes the minimum set of IAM privileges that a CHA needs to operate successfully. Attach the policies shown here to the IAM Task Role used by your ECS Task Definition:

AWS managed policies

Attach the following AWS managed policies:

CloudWatchFullAccess
SecretsManagerReadWrite

Inline policy

Attach the following as an inline policy:

{
  "Version": "2024-05-17",
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinS3"
    },
    {
      "Action": [
        "sqs:DeleteMessage",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "sqs:GetQueueUrl"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinSQS"
    },
    {
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinRDS"
    },
    {
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinEC2"
    },
    {
      "Action": [
        "sns:ListTopics",
        "sns:CreateTopic",
        "sns:Publish"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinSNS"
    },
    {
      "Action": [
        "cloudwatch:PutMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinCloudwatch"
    },
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow",
      "Sid": "StmtMinCloudwatchLogs"
    },
    {
      "Action": [
        "kms:ListAliases",
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinKMS"
    },
    {
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:Scan"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinDynamoDB"
    }
  ]
}

Further customization

In addition you may choose to:

Customize the inline policy, for example to add restrictions
Add more privileges, for example AmazonBedrockFullAccess to enable LLM prompt functionality

Author: Matillion