The user who deploys a Cyral sidecar using a Cyral-provided template must have sufficient AWS permissions to allow the Cyral deployment module to create IAM resources and EC2 resources. During deployment, the IAM role needed for the sidecar instances will be created automatically by the deployment module and attached to EC2 instances.
Note! While you can opt to deploy the sidecar using an AWS account that has more powerful
administratorpermissions, the more secure approach (and often the only approach allowed by your IT team) is to grant least privilege, which means deploying the sidecar with an account that has the minimum needed permissions.
See the following documents for lists of the required permissions:
