AWS IAM Policies

The Aviatrix Controller in AWS is launched by a CloudFormation script. During the launch time, two IAM roles are created, aviatrix-role-ec2 and aviatrix-role-app. Two associated IAM policies are also created, aviatrix-assume-role-policy and aviatrix-app-policy.

These two roles and their associated policies allow the Controller to use AWS APIs to launch gateway instances, create new route entries and build networks. As more features are added by Aviatrix with each release, the IAM Access Policy may need to be updated to allow the Controller to launch new services.

This document shows you, an Aviatrix user, how to update your AWS IAM policies in the Aviatrix Controller and in AWS.


Please note that both the Aviatrix Controllers and the Aviatrix Gateways need access to the IAM policies.


Please ensure that IAM policies are consistent across all AWS accounts that the Controllers and Gateways are located in.

Auditing and Updating AWS IAM Policies in the Aviatrix Controller

To update your AWS IAM policies from your Aviatrix Controller, log in to the Controller.

  1. Select Accounts > Access Accounts from the lefthand menu.
  2. Select an AWS account and click Audit near to the top of the page. If this account needs an update, text under Account Audit at the top of the page reads “[Account Name] is not using the latest IAM policy.”
  3. If the account is not using the latest IAM policy, click Update Policy. The latest IAM policy will be updated for this account.

Updating IAM Policies in AWS

This section describes how to update IAM policies from your AWS Console.

In AWS, you can update IAM policies by replacing them. Follow these steps to update IAM policies for each AWS account that you set up in the Controller. Start with your primary account (the account you set up during onboarding) and then on to each secondary account if there is any.

  1. Log in to your account on the AWS Console.
  2. Click on the Services dropdown menu in the top left and select IAM.
  3. Click Policies on the left.
  4. On the Policies page, enter “aviatrix-app-policy” in the Search field. Click aviatrix-app-policy in the table.
  5. On the Summary page for aviatrix-app-policy, click Edit policy at the top of the table.
  6. On the Edit aviatrix-app-policy page, select the JSON tab.
  7. Replace the entire text by the latest policy in this link
  8. Click Review policy to make sure there is no syntax error.
  9. Click Save changes to apply the new “aviatrix-app-policy.”
  10. It may take a few minutes for the policy to take effect.