Skip to main content

AWS Permissions for IOMETE's Data Plane


This document provides a comprehensive list of AWS permissions required to run IOMETE's Data Plane Terraform Script.

The permissions encompass the creation and management of various AWS resources, including Amazon EKS clusters, VPC components, S3 buckets, Key Management Service (KMS) keys, and more.


These permissions are essential to enable the user to successfully execute the Terraform script and should be granted by the Security team.


IOMETE only interacts with AWS resources that it creates. It does not modify or delete any resources that it did not create. See #1 for more details.

Resources and Required Permissions


IOMETE creates a dedicated VPC for the resources it creates. This VPC contains the following resources:

  • Subnets
  • NAT
  • LoadBalancer
  • EKS
  • EC2 instances


EKS cluster contains compute resources like: Lakehouse cluster, Spark driver and executers, and system services.

S3 Lakehouse Buckets

IOMETE creates S3 buckets to store lakehouse data and cluster assets. These buckets are encrypted using KMS keys.


EKS Karpenter Module (kubernetes autoscaler) requires access to SQS to create and manage queues.


IOMETE terraform script creates CloudWatch log groups to store logs from the data plane.


Can be disabled

IAM Roles and policies

Terraform creates IAM roles and policies to allow the EKS cluster to access to:

  • Lakehouse S3 buckets and objects
  • To create and manage EC2 resources for EKS Node Groups
  • To create and manage SQS queues for EKS Karpenter Module (kubernetes autoscaler)
  • KMS keys to encrypt S3 buckets

Implementation Notes

Restricting Permissions Using Tags

IOMETE adds the tag "": true to each resource it creates. This tag can be used to restrict permissions to only the resources created by IOMETE. This is a powerful way to ensure that the permissions are restricted to only the necessary resources.

Example Policy

Here's an example policy statement that allows actions on resources only if they have the tag with a value of true:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:DescribeInstances", // Adjust this to your required actions
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/": "true"

You'll need to apply this condition to all relevant actions in the IAM policies that are needed by the IOMETE Terraform script.

Controlling Access Using AWS Organizational Units (OUs) and AWS Organizations


This is the recommended approach for controlling access to IOMETE's Terraform script.

AWS Organizations allows you to consolidate multiple AWS accounts into an organization to achieve centralized management. Within this organization, you can create Organizational Units (OUs) to further segment and categorize accounts. By using OUs, Security teams can exercise more granular control over permissions for users running specific scripts like IOMETE's terraform script.

Here's how you can apply this control:

  1. Create an OU for IOMETE Terraform Users: Group the accounts where the IOMETE terraform script will be run into a dedicated OU. This isolation allows you to apply specific policies without affecting other accounts in the organization.

  2. Define Service Control Policies (SCPs): SCPs allow you to set fine-grained permissions for the accounts within an OU. By defining SCPs, you can restrict the actions that users within the OU can perform.

  3. Utilize Tag-Based Controls: Since IOMETE's terraform script adds the tag "": true to each resource it creates, you can include tag-based conditions in the SCPs. This ensures that the permissions apply only to the resources tagged by IOMETE's script.

Example of SCP with Tag-Based Control

Below is an example of an SCP that restricts actions to only those resources tagged with "": true.

"Version": "2012-10-17",
"Statement": [
"Sid": "IOMETETagBasedControl",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/": "true"

Note: The exact details and implementation might vary based on the specific requirements and constraints of your organization's security policies.

All permissions required by IOMETE resources

Below are the permissions required by IOMETE's Data Plane. Hence, the user who will create IOMETE data-plane resources in AWS account need to have at least the following access privileges.

Built-in AWS policies

AmazonEC2FullAccessManage Amazon EC2 resources and services, including VPC components and Load Balancers.
AmazonEKSClusterPolicyPerform operations related to creating and managing Amazon EKS clusters.
AmazonS3FullAccessFull access to Amazon S3 for managing Lakehouse buckets.
CloudWatchLogsFullAccessFull access to CloudWatch Logs for managing Data-plane logs.
AmazonEKS_CNI_PolicyPermissions for the Amazon VPC CNI plugin used by Amazon EKS.
AWSServiceRoleForAmazonEKSNodegroupPermissions needed for the EKS Nodegroup service role.


iam:CreateRoleCreate a new IAM role.
iam:TagRoleAdd tags to an existing IAM role.
iam:DeleteOpenIDConnectProviderDelete an OpenID Connect identity provider.
iam:DeleteRoleDelete an existing IAM role.
iam:DeletePolicyDelete an existing IAM policy.
iam:DeleteRolePolicyDelete an attached policy from an IAM role.
iam:DetachRolePolicyDetach a policy from an IAM role.
iam:DeleteInstanceProfileDelete an IAM instance profile.
iam:RemoveRoleFromInstanceProfileRemove a role from an instance profile.
iam:TagOpenIDConnectProviderAdd tags to an OpenID Connect identity provider.
iam:CreateInstanceProfileCreate a new IAM instance profile.
iam:AddRoleToInstanceProfileAttach a role to an instance profile.
iam:TagInstanceProfileAdd tags to an instance profile.
iam:CreateOpenIDConnectProviderCreate a new OpenID Connect identity provider.
iam:PassRolePass a role to an AWS service.
iam:TagPolicyAdd tags to an IAM policy.
iam:CreatePolicyCreate a new IAM policy.
iam:ListAttachedRolePoliciesList policies attached to an IAM role.
iam:AttachRolePolicyAttach a policy to an IAM role.
iam:List*List resources and information within IAM.
iam:Get*Retrieve information about IAM resources.
iam:PutRolePolicyAttach or update a policy to an IAM role.

SQS, Events and KMS

sqs:*Perform all actions on Amazon SQS resources.
events:*Perform all actions on Amazon CloudWatch Events resources.
kms:ListAliasesList the aliases associated with KMS keys.
kms:DeleteAliasDelete an alias associated with a KMS key.
kms:TagResourceAdd tags to a KMS key.
kms:CreateKeyCreate a new KMS key.
kms:CreateAliasCreate an alias for a KMS key.


eks:CreateClusterCreate a new Amazon EKS cluster.
eks:DescribeClusterRetrieve details about an Amazon EKS cluster.
eks:ListClustersList all Amazon EKS clusters in the account.
eks:ListUpdatesList available updates for an Amazon EKS cluster.
eks:UpdateClusterVersionUpdate the Kubernetes version of an EKS cluster.
eks:UpdateClusterConfigUpdate the configuration of an Amazon EKS cluster.
eks:UpdateNodegroupConfigUpdate the configuration of an EKS node group.
eks:CreateNodegroupCreate a new EKS node group within a cluster.
eks:DeleteNodegroupDelete an EKS node group from a cluster.
eks:DescribeNodegroupRetrieve details about an EKS node group.
eks:ListNodegroupsList all EKS node groups within a cluster.
eks:DescribeUpdateRetrieve details about a specific EKS update.
eks:TagResourceAdd tags to an Amazon EKS resource.
eks:UntagResourceRemove tags from an Amazon EKS resource.
eks:ListTagsForResourceList tags for an Amazon EKS resource.
eks:CreateAddonCreate an addon for an Amazon EKS cluster.
eks:DescribeAddonRetrieve details about an addon for an EKS cluster.
eks:DeleteAddonDelete an addon from an EKS cluster.
eks:ListAddonsList addons for an EKS cluster.
eks:UpdateAddonUpdate an addon for an EKS cluster.
eks:DeleteClusterDelete an Amazon EKS cluster.
eks:DescribeAddonVersionsRetrieve details about addon versions for an EKS cluster.

Should you have any further questions or require assistance, please do not hesitate to reach out to the IOMETE support team.