IAM Roles

An IAM role is an IAM (AWS Identity and Access Management) entity that defines a set of permissions for making AWS service requests and manipulating various resources. They are needed for those capabilities that require the ArcSight Database when deploying via AWS in the cloud. An IAM role is required for all database nodes participating in the cluster to allow connectivity to S3 bucket communal storage. For more information, see Understanding Methods for Connecting to AWS S3 Buckets.

Roles are shareable. Instead of creating new roles, you might use existing roles your organization has previously created. IAM is not region dependent, roles can be reused in all regions your organization uses.

You will create two roles: one for EKS (Elastic Kubernetes Service) and one for worker nodes, and assign them specific policies to define permissions.

Roles, policy names, and corresponding policy ARNs are shown in the following table:

Role	Policy Name	Policy ARN
EKS	AmazonEKSClusterPolicy	arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
EKS	AmazonEKSServicePolicy	arn:aws:iam::aws:policy/AmazonEKSServicePolicy
Worker Nodes	AmazonEKSWorkerNodePolicy	arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
Worker Nodes	AmazonEC2ContainerRegistryReadOnly	arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Worker Nodes	AmazonEKS_CNI_Policy	arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

EKS Policies

EKS requires the following policies to be granted:

AmazonEKSClusterPolicy

This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires EC2: CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces.

ARN: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
AmazonEKSServicePolicy

This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters.

ARN: arn:aws:iam::aws:policy/AmazonEKSServicePolicy

For more information, see AWS documentation by signing into your AWS account: https://aws.amazon.com/

Worker Node Policies

For worker nodes in EKS, the following policies must be granted:

AmazonEKSWorkerNodePolicy

This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.

ARN: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly

This policy provides read-only access to Amazon EC2 Container Registry repositories.

ARN: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
AmazonEKS_CNI_Policy

This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set enables the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. For more information about the AWS VPC CNI Plugin, see the link here: https://github.com/aws/amazon-vpc-cni-k8s

arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

For more information, see AWS documentation by signing into your AWS account: https://aws.amazon.com/

Next Step: Creating the EKS Role