Skip to content

Instantly share code, notes, and snippets.

@einyx

einyx/gist:40b1d57c9f2e74dff4ae155f3153ca6f

Created October 27, 2019 07:54
Show Gist options
  • Save einyx/40b1d57c9f2e74dff4ae155f3153ca6f to your computer and use it in GitHub Desktop.
Save einyx/40b1d57c9f2e74dff4ae155f3153ca6f to your computer and use it in GitHub Desktop.
Download ZIP
packer policy
Raw
gistfile1.txt
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "NonResourceBasedWritePermissions",
"Action": [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeypair",
"ec2:DeleteSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::<ACCID>:role/<ROLE>"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:<REGION>:<ACCID>:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::<ACCID>:instance-profile/<ROLE>"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:<REGION>:<ACCID>:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::<ACCID>:instance-profile/<ROLE>"
}
}
},
{
"Sid": "EC2LimitSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:<REGION>:<ACCID>:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro"
]
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:<REGION>:<ACCID>:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:<REGION>:<ACCID>:vpc/_VPC_ID_"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:<REGION>:<ACCID>:volume/*",
"arn:aws:ec2:<REGION>::image/*",
"arn:aws:ec2:<REGION>::snapshot/*",
"arn:aws:ec2:<REGION>:<ACCID>:network-interface/*",
"arn:aws:ec2:<REGION>:<ACCID>:key-pair/*",
"arn:aws:ec2:<REGION>:<ACCID>:security-group/*",
"arn:aws:ec2:<REGION>:<ACCID>:subnet/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeSecurityGroups",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:<REGION>:<ACCID>:vpc/_VPC_ID_"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment