On Demand Cloud Connect - AWS prerequisites

This section discusses the AWS prerequisites for using Evolution Platform Cloud connect.

Here are the prerequisites:

Creating a Dedicated IAM User
Defining User Permissions

Prerequisite 1 : Creating a Dedicated IAM User

AWS IAM (Identity and Access Management) allows you to create technical accounts dedicated to services like Evolution Platform, providing them with controlled access to AWS APIs and the AWS Console.

These accounts are not intended for developers or employees, but rather for automated integrations such as the Evolution Platform.

We strongly recommend creating a dedicated IAM user for Evolution Platform (e.g., evolve-access) to ensure a clear separation between:

IAM accounts for employees within your organization
IAM accounts used by third-party services (so-called "robot" users), like Evolution Platform

This separation helps improve permission management, access tracking, and overall security.

Create an IAM user – AWS Identity and Access Management (IAM) – AWS Docs
Create or manage IAM access keys – AWS Docs

Prerequisite 2 : Defining User Permissions

Once the IAM user dedicated to the Evolution Platform is created (often named "cloudco"), you must assign IAM policies that define what the user is allowed to do in your AWS account.

Recommendations

Grant only the minimum permissions required, avoiding wildcards (*) whenever possible
Document all policies attached to this user
Prefer AWS-managed policies or well-scoped custom policies

IAM Policies – AWS Docs

Minimum required permissions

Below are the minimum IAM permissions a customer must assign to Orange Business :

Accept Hosted Connections
Create and manage Virtual Interfaces (VIF)
Associate VIF with VPC/VGW/DXGW VPC, VGW or *Direct Connect Gateway
Read network configuration

Fonction	Permissions requises
Accept Hosted Connection	directconnect:ConfirmConnection
Create Private/Public VIF	directconnect:Create*VirtualInterface
Associate VIF with VPC/VGW/DXGW	directconnect:AssociateVirtualInterface
Read network configuration	ec2:Describe*

For CloudCo Aws Public

EC2 – Network Gateways discovery & management :

Need IAM Permission	Description
List AWS regions	ec2:DescribeRegions
Check access to a region	ec2:DescribeAvailabilityZones
List VPCs	ec2:DescribeVpcs
List Transit Gateways (TGW)	ec2:DescribeTransitGateways
List VPN Gateways (VGW)	ec2:DescribeVpnGateways
Create a Customer Gateway	ec2:CreateCustomerGateway
Delete a Customer Gateway	ec2:DeleteCustomerGateway
List VPN Connections	ec2:DescribeVpnConnections
Create a VPN Connection	ec2:CreateVpnConnection
Delete a VPN Connection	ec2:DeleteVpnConnection

For CloudCo Aws Private

Required IAM Permissions – AWS Direct Connect :

Requirement	Description	AWS API Action
List Direct Connect connections	List all Direct Connect connections	directconnect:DescribeConnections
Confirm a Hosted Connection	Confirm a hosted connection	directconnect:ConfirmConnection
List Virtual Interfaces (VIFs)	List all Virtual Interfaces (VIFs)	directconnect:DescribeVirtualInterfaces
List Direct Connect locations	List all Direct Connect locations	directconnect:DescribeLocations
List Direct Connect interconnects	List all Direct Connect interconnects	directconnect:DescribeInterconnects
Read Direct Connect tags	Read tags associated with Direct Connect	directconnect:DescribeTags
Create a Private Virtual Interface	Create a private Virtual Interface	directconnect:CreatePrivateVirtualInterface
Create a Transit Virtual Interface	Create a transit Virtual Interface	directconnect:CreateTransitVirtualInterface
Delete a Private Virtual Interface	Delete a private Virtual Interface	directconnect:CreatePrivateVirtualInterface
Delete a Transit Virtual Interface	Delete a transit Virtual Interface	directconnect:CreateTransitVirtualInterface
List Direct Connect Gateways	List all Direct Connect Gateways	directconnect:DescribeDirectConnectGateways

AWS Direct Connect - IAM Permissions Documentation

Direct Connect Permissions

IAM Action	Functional Description
`directconnect:DescribeConnections`	View available Direct Connect connections
`directconnect:ConfirmConnection`	Accept / confirm a connection
`directconnect:DescribeVirtualInterfaces`	List virtual interfaces (VIF)
`directconnect:DescribeLocations`	View available locations
`directconnect:DescribeInterconnects`	View interconnects
`directconnect:DescribeTags`	Read resource tags
`directconnect:CreatePrivateVirtualInterface`	Create Private VIF (VPC)
`directconnect:CreateTransitVirtualInterface`	Create Transit VIF (TGW)
`directconnect:DescribeDirectConnectGateways`	View Direct Connect Gateways
`directconnect:DescribeDirectConnectGatewayAssociations`	View Gateway ↔ VIF associations
`directconnect:TagResource`	Add or modify tags
`directconnect:DeleteVirtualInterface`	Delete a VIF

EC2 Network Permissions

IAM Action	Functional Description
`ec2:DescribeVpnGateways`	View Virtual Private Gateways
`ec2:DescribeRegions`	List AWS regions

Example JSON for IAM Permission Implementation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDirectConnectAndNetworkManagement",
      "Effect": "Allow",
      "Action": [
        "directconnect:DescribeConnections",
        "directconnect:ConfirmConnection",
        "directconnect:DescribeVirtualInterfaces",
        "directconnect:DescribeLocations",
        "directconnect:DescribeInterconnects",
        "directconnect:DescribeTags",
        "directconnect:CreatePrivateVirtualInterface",
        "directconnect:CreateTransitVirtualInterface",
        "directconnect:DescribeDirectConnectGateways",
        "ec2:DescribeVpnGateways",
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAccountListRegions",
      "Effect": "Allow",
      "Action": "account:ListRegions",
      "Resource": "arn:aws:account::<ACCOUNT_ID_CLIENT>:account"
    },
    {
      "Sid": "AllowVIFManagementMultiRegion",
      "Effect": "Allow",
      "Action": [
        "directconnect:TagResource",
        "directconnect:DeleteVirtualInterface"
      ],
      "Resource": "arn:aws:directconnect:*:<ACCOUNT_ID_CLIENT>:dxvif/*"
    },
    {
      "Sid": "AllowAllDXGatewayAssociations",
      "Effect": "Allow",
      "Action": "directconnect:DescribeDirectConnectGatewayAssociations",
      "Resource": "*"
    }
  ]
}

Prerequisite 1 : Creating a Dedicated IAM User​

Prerequisite 2 : Defining User Permissions​

Minimum required permissions​

For CloudCo Aws Public​

For CloudCo Aws Private​

AWS Direct Connect - IAM Permissions Documentation​

Direct Connect Permissions​

EC2 Network Permissions​

Example JSON for IAM Permission Implementation​