We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create an IAM Role for a CloudGen Firewall in AWS

  • Last updated on

IAM roles are the preferred method for CloudGen Firewall instances in AWS to authenticate against AWS APIs. For each feature that requires direct access to AWS resources, a customized IAM policy must be created. These policies are then attached to the IAM role assigned to the instance during deployment. It is possible to change the IAM policies attached to the IAM role on the fly. If an Access Key ID and Secret Access Key are configured in AWS cloud integration, they take precedence over the IAM role attached to the instance. In order to use all firewall features, the following IAM security policies must be created and attached to the IAM role:

  • Cloud Information element
  • Route shifting (includes Cloud Information dashboard element)
  • AWS CloudWatch streaming
  • AWS Auto Scaling or cold standby S3 bucket access
  • AWS Marketplace Metered Billing, to allow reporting for volume-based PAYG instances

Step 1. Create IAM Policy for Route Shifting

Create an IAM policy to allow route shifting.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
    aws_IAM_role_01.png
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables",
                    "ec2:DeleteRoute",
                    "ec2:CreateRoute",
                    "ec2:DescribeNetworkInterfaces"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  6. (Optional) Select the Visual editor tab to visually review the policy.
  7. To verify and save the policy, click Review policy.
  8. Enter the following information for the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description
      IAM-Policy.png

      In some cases, the AWS Visual editor does not accept instructions from the JSON code and displays warning messages. It is recommended to edit these warnings directly in the Visual editor before saving the IAM policy.

  9. Click Create Policy.

The IAM policy for route shifting is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 2. Create IAM Policy for the Cloud Information Dashboard Element

Create this policy only if you are not using the route shifting IAM policy. The route shifting IAM policy includes all permissions necessary for the Cloud Information element.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables"
                ],
                "Resource": [
                    "arn:aws:ec2:::*"
                ]
            }
        ]
    }
  6. (Optional) Select the Visual editor tab to visually review the policy.
  7. To verify and save the policy, click Review policy.
  8. Enter the following information for the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description

      IAMCloudInformation.png

      In some cases, the AWS Visual editor does not accept instructions from the JSON code and displays warning messages. It is recommended to edit these warnings directly in the Visual editor before saving the IAM policy.

     

  9. Click Create Policy.

The IAM policy for the Cloud Information element is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 3. Create IAM Policy for Log Streaming to AWS CloudWatch

This IAM policy grants the firewall the necessary permissions to stream logs to AWS CloudWatch.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogStreams",
                    "logs:DescribeLogGroups"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    
  6. (Optional) Select the Visual editor tab to visually review the policy.
  7. To verify and save the policy, click Review policy.
  8. Enter the following information for the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description

      IAM-CloudWatch.png

      In some cases, the AWS Visual editor does not accept instructions from the JSON code and displays warning messages. It is recommended to edit these warnings directly in the Visual editor before saving the IAM policy.

  9. Click Create Policy.

The IAM policy for streaming logs to AWS CloudWatch is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 4. Create IAM Policy for AWS Auto Scaling Group Deployments

This IAM policy grants the necessary permissions for Auto Scaling and cold standby architectures for the CloudGen Firewall.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.
  5. Select the JSON tab and paste the policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AllocateAddress",
                    "ec2:AssociateAddress",
                    "ec2:DescribeAddresses",
                    "ec2:DisassociateAddress",
                    "ec2:CreateRoute",
                    "ec2:DescribeRouteTables",
                    "ec2:ReplaceRoute",
                    "ec2:DeleteRoute",
                    "ec2:CreateTags",
                    "ec2:DescribeInstances",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:ModifyInstanceAttribute"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "autoscaling:CreateOrUpdateTags",
                    "autoscaling:DeleteTags",
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeTags",
                    "autoscaling:SetInstanceProtection"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "sqs:CreateQueue",
                    "sqs:DeleteMessage",
                    "sqs:DeleteQueue",
                    "sqs:GetQueueAttributes",
                    "sqs:ReceiveMessage",
                    "sqs:SetQueueAttributes",
                    "sqs:GetQueueUrl"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sqs:::*"
            },
            {
                "Action": [
                    "sns:CreateTopic",
                    "sns:Publish",
                    "sns:Subscribe",
                    "sns:Unsubscribe",
                    "sns:ListSubscriptionsByTopic"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:sns:::*"
            },
            {
                "Action": [
                    "cloudwatch:PutMetricData"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "sts:GetCallerIdentity"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutBucketVersioning",
                    "s3:PutObject",
                    "s3:GetBucketVersioning",
                    "s3:ListBucketVersions",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObjectVersion"
                ],
                "Resource": "arn:aws:s3:::*"
            }
        ]
    }
  6. (Optional) Select the Visual editor tab to visually review the policy.
  7. To verify and save the policy, click Review policy.
  8. Enter the following information for the IAM policy:
    • Policy Name – Enter a name for the policy.
    • (optional) Description

      IAM-Autoscaling.png

      In some cases, the AWS Visual editor does not accept instructions from the JSON code and displays warning messages. It is recommended to edit these warnings directly in the Visual editor before saving the IAM policy.

  9. Click Create Policy.

The IAM policy for AWS Auto Scaling and cold standby architectures is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 5. Create IAM Policy for Metered Billing

This IAM policy grants the necessary permissions for metered billing PAYG images to be able to report the used traffic to AWS.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Policies.
  4. Click Create Policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "aws-marketplace:*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    In some cases, the AWS Visual editor does not accept instructions from the JSON code and displays warning messages. It is recommended to edit these warnings directly in the Visual editor before saving the IAM policy.

  5. Click Create Policy.

The IAM policy for metered billing is now available to be assigned to an IAM role for the CloudGen Firewall.

Step 6. Create the IAM Role

Create the IAM role and assign the IAM policies for all CloudGen Firewall Cloud Integration features used by the firewall Instance.

  1. Log into the AWS console.
  2. Click Services and select IAM.
  3. In the left menu, click Roles.
  4. Click Create role.
  5. In the AWS service section, select EC2 and click Next: Permissions
    1. Select the relevant IAM firewall policies for your planned CloudGen Firewall deployment.
      image2019-1-11 10:46:13.png

       

      Select the policies only for features that will be used in the deployed firewall instance. You can change the attached IAM policies later if required.

  6. Click Next: Tags.
    1. (Optional) Add IAM tags to the role.
  7. Click Next: Review
    1. Enter a Role name and an optional Role description.
    2. Review the settings.
  8. Click Create Role.
    image2019-1-11 10:51:59.png

Assign this role to the CloudGen Firewall instance during deployment.

Last updated on