It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Create an IAM Role for a CloudGen Firewall in AWS

  • Last updated on

IAM roles are the preferred method for CloudGen Firewall instances in AWS to authenticate against AWS APIs. For each feature that requires direct access to AWS resources, a customized IAM policy must be created. These policies are then attached to the IAM role assigned to the instance during deployment. It is possible, to change the IAM policies attached to the IAM role on the fly. If an Access Key ID and Secret Access Key are configured in AWS cloud integration, they take precedence over the IAM role attached to the instance. In order to use all firewall features, the following IAM security policies must be created and attached to the IAM role:

  • Cloud Information element
  • Route shifting (includes Cloud Information dashboard element)
  • AWS CloudWatch streaming
  • AWS Auto Scaling or cold standby S3 bucket access
  • AWS Marketplace Metered Billing, to allow reporting for volume based PAYG instances

Step 1. Create IAM Policy for Route Shifting

Create an IAM policy to allow route shifting.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
    aws_IAM_role_01.png
  5. Next to Create Your Own Policy, click Select.
    aws_IAM_role_02.png
    Configure the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
    • Policy Document – Copy and paste the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables",
                    "ec2:DeleteRoute",
                    "ec2:CreateRoute",
                    "ec2:DescribeNetworkInterfaces"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }

    aws_IAM_role_03.png

  6. Click Create Policy.

The IAM policy for route shifting is now available to be assigned to an IAM role for the CloudGen Firewall.

aws_IAM_role_04.png

Step 2. Create IAM Policy for the Cloud Information Dashboard Element

Create this policy only if you are not using the route shifting IAM policy. The route shifting IAM policy includes all permissions necessary for the Cloud Information element.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Next to Create Your Own Policy, click Select.
    Configure the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
    • Policy Document – Copy and paste the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables"
                ],
                "Resource": [
                    "arn:aws:ec2:::*"
                ]
            }
        ]
    }

    aws_IAM_role_05.png

  6. Click Create Policy.

The IAM policy for the Cloud Information element is now available to be assigned to an IAM role for the CloudGen Firewall.

aws_IAM_role_06.png

Step 3. Create IAM Policy for Log Streaming to AWS CloudWatch

This IAM policy grants the firewall the necessary permissions to stream logs to AWS CloudWatch.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Next to Create Your Own Policy, click Select.
  6. Configure the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
    • Policy Document – Copy and paste the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogStreams",
                    "logs:DescribeLogGroups"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    
    

    aws_IAM_role_07.png

  7. Click Create Policy.

The IAM policy for streaming logs to AWS CloudWatch is now available to be assigned to an IAM role for the CloudGen Firewall.

aws_IAM_role_08.png

Step 4. Create IAM Policy for AWS Auto Scaling Group Deployments

This IAM policy grants the necessary permissions for Auto Scaling and cold standby architectures for the CloudGen Firewall.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Next to Create Your Own Policy, click Select.
  6. Configure the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
    • Policy Document – Copy and paste the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:CreateRoute",
                    "ec2:DescribeRouteTables",
                    "ec2:ReplaceRoute",
                    "ec2:DeleteRoute",
                    "ec2:CreateTags",
                    "ec2:DescribeInstances",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:ModifyInstanceAttribute"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "autoscaling:CreateOrUpdateTags",
                    "autoscaling:DeleteTags",
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeTags",
                    "autoscaling:SetInstanceProtection"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "sqs:CreateQueue",
                    "sqs:DeleteMessage",
                    "sqs:DeleteQueue",
                    "sqs:GetQueueAttributes",
                    "sqs:ReceiveMessage",
                    "sqs:SetQueueAttributes",
                    "sqs:GetQueueUrl"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sqs:::*"
            },
            {
                "Action": [
                    "sns:CreateTopic",
                    "sns:Publish",
                    "sns:Subscribe",
                    "sns:Unsubscribe",
                    "sns:ListSubscriptionsByTopic"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sns:::*"
            },
            {
                "Action": [
                    "cloudwatch:PutMetricData"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "sts:GetCallerIdentity"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutBucketVersioning",
                    "s3:PutObject",
                    "s3:GetBucketVersioning",
                    "s3:ListBucketVersions",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObjectVersion"
                ],
                "Resource": "arn:aws:s3:::*"
            }
        ]
    }

    aws_IAM_role_09.png

  7. Click Create Policy.

The IAM policy for AWS Auto Scaling and cold standby architectures is now available to be assigned to an IAM role for the CloudGen Firewall.

iam_policy_autoscaling_done.png

Step 5. Create IAM Policy for Metered Billing

This IAM policy grants the necessary permissions for metered billing PAYG images to be able to report the used traffic to AWS.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Next to Create Your Own Policy, click Select.
  6. Configure the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
    • Policy Document – Copy and paste the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "aws-marketplace:MeterUsage"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    aws_IAM_role_12.png

  7. Click Create Policy.

The IAM policy for metered billing is now available to be assigned to an IAM role for the CloudGen Firewall.

aws_IAM_role_13.png

Step 6. Create the IAM Role

Create the IAM role and assign the IAM policies for all CloudGen Firewall Cloud Integration features used by the firewall Instance.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Roles.
  4. Click Create New Role.
    aws_IAM_role_09.png
  5. Enter the Role Name.
  6. Click Next Step.
  7. In the AWS Service Roles section, next to Amazon EC2 click Select.
    aws_IAM_role_10.png
  8. Select the relevant IAM firewall policies for your planned CloudGen Firewall deployment.

    Select the policies only for features that will be used in the deployed firewall instance. You can change the attached IAM policies later if required.

    aws_IAM_role_11.png

  9. Click Next Step.
  10. Review the settings and click Create Role

Assign this role to the CloudGen Firewall instance during deployment.