The cloudformation stack for UTM 9.6 (and also for the latest 9.7 one) grants everything except IAM to the UTMRole (the instance role assumed bythe ec2 instance running the Sophos software).
https://github.com/sophos-iaas/aws-cf-templates/blob/master/utm/9.601/ha_standalone.template#L879
The part in question is:
{ "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" },
It seems highly unlikely that this software requires such a permissive policy. Is there a more restrictive policy that this software can use? As far as I know, the only thing it needs AWS permissions for are the other specified policy blocks: updating cloudformation when you update the software and writing cloudwatch logs. I believe it also needs s3 permissions for backing up state.
Access Advisor says the role has only used these 5 services:Amazon CloudWatch Logs (today)AWS CloudFormation (today)Amazon S3 (today)Amazon EC2 Auto Scaling (long time ago, when the cfn stack was first made)Amazon EC2 (long time ago, when the cfn stack was first made)
Hi Nick Lavrov
Thank you for reaching out to the Community!
I would request you to open a support case and PM me the case number for further investigation.
Thanks,