Article/How To

IAM Privileges for Customer Hosted Agents on AWS

Minimum IAM privileges for a Data Productivity Cloud Customer Hosted Agent (CHA) on AWS.

This article describes the minimum set of IAM privileges that a CHA needs to operate successfully. Attach the policies shown here to the IAM Task Role used by your ECS Task Definition:

AWS managed policies

Attach the following AWS managed policies:

  • CloudWatchFullAccess
  • SecretsManagerReadWrite

Inline policy

Attach the following as an inline policy:

  "Version": "2012-10-17",
  "Statement": [
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinS3"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinSQS"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinRDS"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinEC2"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinSNS"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinCloudwatch"
      "Action": [
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow",
      "Sid": "StmtMinCloudwatchLogs"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinKMS"
      "Action": [
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "StmtMinDynamoDB"

Further customization

In addition you may choose to:

  • Customize the inline policy, for example to add restrictions
  • Add more privileges, for example AmazonBedrockFullAccess to enable LLM prompt functionality

Author: Matillion
Date Posted: 21 May 2024