Skip to content

Instantly share code, notes, and snippets.

@mumoshu
Created March 21, 2018 13:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mumoshu/653c3a8fba12838cf82c032dd70c3161 to your computer and use it in GitHub Desktop.
Save mumoshu/653c3a8fba12838cf82c032dd70c3161 to your computer and use it in GitHub Desktop.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:CancelCommand",
"ssm:DescribeAssociation",
"ssm:ListCommands",
"ssm:DescribeDocument",
"ec2messages:GetEndpoint",
"ec2messages:AcknowledgeMessage",
"ec2messages:GetMessages",
"ssm:ListInstanceAssociations",
"ssm:ListDocumentsVersions",
"ssm:UpdateAssociationStatus",
"ec2messages:DeleteMessage",
"ssm:DescribeInstanceInformation",
"ssm:UpdateInstanceInformation",
"ec2messages:FailMessage",
"ssm:DescribeDocumentParameters",
"ssm:GetDocument",
"ssm:DescribeAutomationExecutions ",
"ssm:ListDocuments",
"ec2messages:SendReply",
"ssm:ListCommandInvocations",
"ssm:ListAssociations",
"ec2:DescribeInstanceStatus",
"ssm:DescribeInstanceProperties"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"s3:PutAnalyticsConfiguration",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:DeleteBucketWebsite",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:DeleteObjectTagging",
"s3:PutMetricsConfiguration",
"s3:PutReplicationConfiguration",
"s3:PutObjectVersionTagging",
"s3:DeleteObjectVersionTagging",
"s3:PutBucketCORS",
"s3:PutInventoryConfiguration",
"s3:PutObject",
"s3:PutIpConfiguration",
"s3:PutBucketNotification",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutBucketLogging",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::*/*",
"arn:aws:ssm:ap-northeast-1:*:document/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ssm:StartAutomationExecution",
"Resource": "arn:aws:ssm:::automation-definition/"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution",
"ssm:StopAutomationExecution"
],
"Resource": "arn:aws:ssm:::automation-execution/"
}
]
}
@mumoshu
Copy link
Author

mumoshu commented Mar 22, 2018

Permissions for destructive operations like s3:DeleteBucket and s3:DeleteObject should be removed for auditing purpose

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment