It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create an IAM Role for a CloudGen Firewall in AWS

  • Last updated on

IAM roles are the preferred method for CloudGen Firewall instances in AWS to authenticate against AWS APIs. For each feature that requires direct access to AWS resources, a customized IAM policy must be created. These policies are then attached to the IAM role assigned to the instance during deployment. It is possible to change the IAM policies attached to the IAM role on the fly. If an Access Key ID and Secret Access Key are configured in AWS cloud integration, they take precedence over the IAM role attached to the instance. In order to use all firewall features, the following IAM security policies must be created and attached to the IAM role:

  • Cloud Information element
  • Route shifting (includes Cloud Information dashboard element)
  • AWS CloudWatch streaming
  • AWS Auto Scaling or cold standby S3 bucket access
  • AWS Marketplace Metered Billing, to allow reporting for volume-based PAYG instances

Step 1. Create an IAM Policy for Route Shifting

Create an IAM policy to allow route shifting.

  1. Log into the AWS console.
  2. Click Services and select IAM.
    select_iam.png
  3. In the left menu, select Policies.
  4. Click Create policy.
    create_pol.png
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables",
                    "ec2:DeleteRoute",
                    "ec2:CreateRoute",
                    "ec2:DescribeNetworkInterfaces"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  6. (Optional) Select the Visual tab to review the policy.
  7. Click Next.
  8. Enter the following information for the IAM policy:
    • Policy name – Enter a name for the policy.
    • (optional) Description
      iam_details.png

      In some cases, the AWS visual editor does not accept instructions from the JSON code and displays warning messages. If required, you can edit these warnings directly in the Visual tab before saving the IAM policy.

  9. (optional) Create a custom tag for the policy. A tag consists of a key-value pair and is used to identify a resource.

    Do not store personally identifiable information (PII) or other confidential information in a tag!

    1. In the Add tags section, click Add new tag.
    2. Enter a Key, for example: RouteShiftHA
    3. (optional) Enter a tag Value, for example: 01-west-US
  10. Click Create policy.

The IAM policy for route shifting is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 2. Create an IAM Policy for the Cloud Information Dashboard Element

Create this policy only if you are not using the route shifting IAM policy. The route shifting IAM policy includes all permissions necessary for the Cloud Information element.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables"
                ],
                "Resource": [
                    "arn:aws:ec2:::*"
                ]
            }
        ]
    }
  6. (Optional) Select the Visual tab to visually review the policy.
  7. Click Next.
  8. Enter the following information for the IAM policy:
    • Policy name – Enter a name for the policy.
    • (optional) Description
      iam_cloud_inf.png

  9. (optional) Create a tag for the policy. For instructions, see step 1/9. 
  10. Click Create policy.

The IAM policy for the Cloud Information element is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 3. Create an IAM Policy for Log Streaming to AWS CloudWatch

This IAM policy grants the firewall the necessary permissions to stream logs to AWS CloudWatch.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogStreams",
                    "logs:DescribeLogGroups"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    
  6. (Optional) Select the Visual tab to visually review the policy.
  7. Click Next.
  8. Enter the following information for the IAM policy:
    • Policy name – Enter a name for the policy.
    • (optional) Description

      iam_cloudwatch.png

  9. (optional) Create a tag for the policy. For instructions, see step 1/9. 
  10. Click Create policy.

The IAM policy for streaming logs to AWS CloudWatch is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 4. Create an IAM Policy for AWS Auto Scaling Group Deployments

This IAM policy grants the necessary permissions for Auto Scaling and cold standby architectures for the CloudGen Firewall.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:CreateRoute",
                    "ec2:DescribeRouteTables",
                    "ec2:ReplaceRoute",
                    "ec2:DeleteRoute",
                    "ec2:CreateTags",
                    "ec2:DescribeInstances",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:ModifyInstanceAttribute"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "autoscaling:CreateOrUpdateTags",
                    "autoscaling:DeleteTags",
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeTags",
                    "autoscaling:SetInstanceProtection"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "sqs:CreateQueue",
                    "sqs:DeleteMessage",
                    "sqs:DeleteQueue",
                    "sqs:GetQueueAttributes",
                    "sqs:ReceiveMessage",
                    "sqs:SetQueueAttributes",
                    "sqs:GetQueueUrl"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sqs:::*"
            },
            {
                "Action": [
                    "sns:CreateTopic",
                    "sns:Publish",
                    "sns:Subscribe",
                    "sns:Unsubscribe",
                    "sns:ListSubscriptionsByTopic"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sns:::*"
            },
            {
                "Action": [
                    "cloudwatch:PutMetricData"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "sts:GetCallerIdentity"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutBucketVersioning",
                    "s3:PutObject",
                    "s3:GetBucketVersioning",
                    "s3:ListBucketVersions",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObjectVersion"
                ],
                "Resource": "arn:aws:s3:::*"
            }
        ]
    }
  6. (Optional) Select the Visual tab to visually review the policy.
  7. Click Next.
  8. Enter the following information for the IAM policy:
    • Policy name – Enter a name for the policy.
    • (optional) Description
      iam_autoscale.png

  9. (optional) Create a tag for the policy. For instructions, see step 1/9. 
  10. Click Create policy.

The IAM policy for AWS Auto Scaling and cold standby architectures is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 5. Create an IAM Policy for Metered Billing

This IAM policy grants the necessary permissions for metered billing PAYG images to be able to report the used traffic to AWS.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "aws-marketplace:*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
  5. (optional) Create a tag for the policy. For instructions, see step 1/9. 
  6. Click Create policy.

The IAM policy for metered billing is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 6. Create the IAM Role

Create the IAM role and assign the IAM policies for all CloudGen Firewall Cloud Integration features used by the firewall Instance.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Roles.
  4. Click Create role.
    create_role.png
  5. Select AWS service.
  6. In the Service or use case field, select EC2 and click Next
    1. Select the relevant IAM firewall policies for your planned CloudGen Firewall deployment.
      iam_permissions.png

      Select the policies only for features that will be used in the deployed firewall instance. You can change the attached IAM policies later if required.

  7. Click Next.
  8. Enter a Role name and an optional Role description.
    iam_name.png
  9. (Optional) Add tags to the role.
  10. Review the settings.
  11. Click Create Role.

Assign this role to the CloudGen Firewall instance during deployment.