chrislovecnm/kops-admin.json

## kops-admin.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteKeyPair",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeAddresses",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeDhcpOptions",
        "ec2:DescribeHosts",
        "ec2:DescribeImages",
        "ec2:DescribeImageAttribute",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeNatGateways",
        "ec2:DescribeRegions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcs",
        "ec2:DetachVolume",
        "ec2:ImportKeyPair",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsAdminEc2"
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:ApplySec*",
        "elasticloadbalancing:ConfigureHealthCheck",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateLoadBalancerListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:RemoveTags",
        "elasticloadbalancing:SetSecurityGroups"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsAdminElb"
    },
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:AttachInstances",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:CreateLaunchConfiguration",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DeleteLaunchConfiguration",
        "autoscaling:DeleteTags",
        "autoscaling:Describe*",
        "autoscaling:SetDesiredCapacity",
        "autoscaling:TerminateInstanceInAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsAdminAsg"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:GetInstanceProfile",
        "iam:ListInstanceProfiles",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:ListInstanceProfiles",
        "iam:PassRole",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:UpdateAssumeRolePolicy"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsAdminIAM"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey",
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsAdminKMS"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets",
        "route53:GetHostedZone"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z151KI3YMRFBLY"
      ],
      "Sid": "kopsK8sRoute53Change"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange"
      ],
      "Resource": [
        "arn:aws:route53:::change/*"
      ],
      "Sid": "kopsK8sRoute53GetChanges"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones"
      ],
      "Resource": [
        "*"
      ],
      "Sid": "kopsK8sRoute53ListZones"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::s3://aws.k8spro.com",
        "arn:aws:s3:::s3://aws.k8spro.com/*"
      ],
      "Sid": "kopsAdminStatestoreAccess"
    }
  ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"ec2:AttachVolume",
	"ec2:AuthorizeSecurityGroupEgress",
	"ec2:AuthorizeSecurityGroupIngress",
	"ec2:CreateSecurityGroup",
	"ec2:CreateTags",
	"ec2:CreateVolume",
	"ec2:DeleteKeyPair",
	"ec2:DeleteSecurityGroup",
	"ec2:DeleteTags",
	"ec2:DeleteVolume",
	"ec2:DescribeAddresses",
	"ec2:DescribeAvailabilityZones",
	"ec2:DescribeDhcpOptions",
	"ec2:DescribeHosts",
	"ec2:DescribeImages",
	"ec2:DescribeImageAttribute",
	"ec2:DescribeInstances",
	"ec2:DescribeInternetGateways",
	"ec2:DescribeKeyPairs",
	"ec2:DescribeNatGateways",
	"ec2:DescribeRegions",
	"ec2:DescribeRouteTables",
	"ec2:DescribeSecurityGroups",
	"ec2:DescribeSubnets",
	"ec2:DescribeTags",
	"ec2:DescribeVolumes",
	"ec2:DescribeVpcAttribute",
	"ec2:DescribeVpcs",
	"ec2:DetachVolume",
	"ec2:ImportKeyPair",
	"ec2:RevokeSecurityGroupEgress",
	"ec2:RevokeSecurityGroupIngress",
	"ec2:StopInstances",
	"ec2:TerminateInstances"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsAdminEc2"
	},
	{
	"Effect": "Allow",
	"Action": [
	"elasticloadbalancing:AddTags",
	"elasticloadbalancing:ApplySec*",
	"elasticloadbalancing:ConfigureHealthCheck",
	"elasticloadbalancing:CreateLoadBalancer",
	"elasticloadbalancing:CreateLoadBalancerListeners",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticloadbalancing:DescribeTags",
	"elasticloadbalancing:DeleteLoadBalancer",
	"elasticloadbalancing:DescribeLoadBalancerAttributes",
	"elasticloadbalancing:ModifyLoadBalancerAttributes",
	"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
	"elasticloadbalancing:RemoveTags",
	"elasticloadbalancing:SetSecurityGroups"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsAdminElb"
	},
	{
	"Effect": "Allow",
	"Action": [
	"autoscaling:AttachInstances",
	"autoscaling:AttachLoadBalancers",
	"autoscaling:CreateAutoScalingGroup",
	"autoscaling:CreateLaunchConfiguration",
	"autoscaling:CreateOrUpdateTags",
	"autoscaling:DeleteAutoScalingGroup",
	"autoscaling:DeleteLaunchConfiguration",
	"autoscaling:DeleteTags",
	"autoscaling:Describe*",
	"autoscaling:SetDesiredCapacity",
	"autoscaling:TerminateInstanceInAutoScalingGroup",
	"autoscaling:UpdateAutoScalingGroup"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsAdminAsg"
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:AddRoleToInstanceProfile",
	"iam:CreateInstanceProfile",
	"iam:CreateRole",
	"iam:DeleteInstanceProfile",
	"iam:DeleteRole",
	"iam:GetRole",
	"iam:GetRolePolicy",
	"iam:GetInstanceProfile",
	"iam:ListInstanceProfiles",
	"iam:ListRolePolicies",
	"iam:ListRoles",
	"iam:ListInstanceProfiles",
	"iam:PassRole",
	"iam:RemoveRoleFromInstanceProfile",
	"iam:UpdateAssumeRolePolicy"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsAdminIAM"
	},
	{
	"Effect": "Allow",
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey",
	"kms:CreateGrant",
	"kms:ListGrants",
	"kms:RevokeGrant"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsAdminKMS"
	},
	{
	"Effect": "Allow",
	"Action": [
	"route53:ChangeResourceRecordSets",
	"route53:ListResourceRecordSets",
	"route53:GetHostedZone"
	],
	"Resource": [
	"arn:aws:route53:::hostedzone/Z151KI3YMRFBLY"
	],
	"Sid": "kopsK8sRoute53Change"
	},
	{
	"Effect": "Allow",
	"Action": [
	"route53:GetChange"
	],
	"Resource": [
	"arn:aws:route53:::change/*"
	],
	"Sid": "kopsK8sRoute53GetChanges"
	},
	{
	"Effect": "Allow",
	"Action": [
	"route53:ListHostedZones"
	],
	"Resource": [
	"*"
	],
	"Sid": "kopsK8sRoute53ListZones"
	},
	{
	"Effect": "Allow",
	"Action": [
	"s3:PutObject",
	"s3:CreateBucket",
	"s3:DeleteBucket",
	"s3:DeleteObject",
	"s3:GetObject",
	"s3:GetBucketLocation",
	"s3:ListBucket"
	],
	"Resource": [
	"arn:aws:s3:::s3://aws.k8spro.com",
	"arn:aws:s3:::s3://aws.k8spro.com/*"
	],
	"Sid": "kopsAdminStatestoreAccess"
	}
	]
	}