Skip to main content
Version: v4.5

Install a sidecar with CloudFormation

Provide AWS permissions

The user who deploys a Cyral sidecar using the Cloudformation template must have sufficient AWS permissions to allow the Cyral Cloudformation module to create IAM resources and EC2 resources. During deployment, the IAM role needed for the sidecar instances will be created automatically by the Cloudformation module and attached to EC2 instances.

caution

While you can opt to deploy the sidecar using an AWS account that has more powerful administrator permissions, the more secure approach (and often the only approach allowed by your IT team) is to grant least privilege, which means deploying the sidecar with an account that has the minimum needed permissions.

Below, in Cyral AWS sample policy elements for Cloudformation deployment, we list the required permissions, expressed in the AWS IAM JSON policy format. For details on this format, see the AWS policy elements reference.

To use the AWS policy elements we provide, follow these steps:

  1. Create or edit your AWS IAM Policy, and paste the elements from one of the sample policies in the sample policy elements list. Use the simplified policy if you're comfortable with the set of actions it allows. Otherwise, use the granular policy.

  2. Edit the policy, replacing ${ACCOUNT_NUMBER} with the account number of the AWS account where the user will deploy the sidecar, or with *.

    To choose between using an account number and using *, consider how your AWS accounts are organized. A common guideline is to use your account number if your workloads run on multiple AWS accounts but rely on a single point for access control. In this case, by using the account number, you ensure that the user who deploys the sidecar only gains access to the account where the sidecar is deployed.

  3. Associate the finished policy (directly or using a group) with the user who will perform the sidecar deployment.

Deploy the sidecar

The Cyral sidecar is typically installed in the same VPC as your data repository. Deploy the sidecar as shown here:

  1. In the Cyral management console, navigate to the Sidecars tab and click the plus sign.

  2. Follow the instructions titled Deploying sidecar to AWS EC2 using CloudFormation.



    warning

    In the template, the access key and registry key variables are assigned automatically by the Cyral template generator. Cyral uses these key values to access the Cyral control plane and Cyral container registry, respectively. These values are private keys, so you should not upload them to any source control or non-private storage. If you keep your access key and registry key values in secure storage, then you must restore these values in your template each time you deploy. When you do so, double-check that these values match the current values for your environment. Incorrect values will prevent communication between the sidecar and the Cyral management console or even prevent the sidecar from being deployed.

Once your sidecar has been deployed, its name is shown in the Sidecars tab.

Next, you should bind at least one repository to your sidecar, and Cyral recommends adding a domain alias for your sidecar.

Sample policy elements for deployment

To deploy a Cyral sidecar using Cloudformation, you must have the AWS permissions listed below. See the earlier section, Provide AWS permissions for sidecar deployment, for instructions.

The permissions are expressed here as policy elements in the AWS IAM JSON policy format. For details on this format, see the AWS policy elements reference.

Simplified policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "iam:*",
                "logs:*",
                "sns:*",
                "secretsmanager:*",
                "ssm:*",
                "sts:*",
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}

Granular policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:Describe*",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:DescribeStack*",
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:Create*",
                "cloudformation:GetTemplateSummary",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DeleteStack",
                "cloudformation:DeleteStackInstances",
                "cloudformation:Describe*",
                "cloudformation:List*",
                "cloudformation:SignalResource",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateStackInstances",
                "cloudformation:UpdateTerminationProtection",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:createTags",
                "ec2:DeleteSecurityGroup",
                "ec2:Describe*",
                "ec2:RevokeSecurityGroupEgress",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:Describe*",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:Describe*",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:Put*",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret",
                "ssm:GetParameters",
                "sts:GetCallerIdentity",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}