AWS permission requirements
BEST PRACTICE Because these credentials are granted by an AWS IAM administrator, you should create a dedicated user account in Trust Protection Platform for this purpose.
For more information, visit the following URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
The operations performed by Amazon Certificate Manager and Amazon Web Services drivers depend on a set of permissions found in your AWS policy. The following AWS policy represents the least privilege access required to support the full feature set of the VenafiAWS driver.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:DeleteServerCertificate",
"iam:UploadServerCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"acm:RequestCertificate",
"acm:GetCertificate",
"acm:DeleteCertificate",
"acm:ImportCertificate",
"acm:ListCertificates",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:UpdateDistribution",
"cloudfront:ListDistributions"
"ec2:DescribeInstances",
],
"Resource": "*"
}
]
}
You can remove specific features that you don't plan to use by simply omitting lines from the policy. For example, if you know that you will not be using ACM, delete any actions that start with "acm:".
For more information about ELB permissions, visit the following Amazon URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#d0e40339