stevenfeltner/verizon-ocean-policy

## verizon-ocean-policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2WithRestrictions",
      "Action": [
        "ec2:StopInstances",
        "ec2:StartInstances",
        "ec2:TerminateInstances",
        "ec2:DeleteTags",
        "ec2:DisassociateAddress",
        "ec2:RebootInstances",
        "ec2:UnassignPrivateIpAddresses",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:ModifyImageAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:AssociateAddress"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "GeneralSpotInstancesAccess",
      "Action": [
        "ec2:RequestSpotInstances",
        "ec2:CancelSpotInstanceRequests",
        "ec2:CreateSpotDatafeedSubscription",
        "ec2:Describe*",
        "ec2:ConfirmProductInstance",
        "ec2:CreateTags",
        "ec2:MonitorInstances"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "RunInstanceRestriction",
      "Action": [
        "ec2:RunInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:::instance/*"
      ]
    },
    {
      "Sid": "AccessELB",
      "Action": [
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:Deregister*",
        "elasticloadbalancing:Register*",
        "elasticloadbalancing:RemoveTags",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
        "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AccessIAM",
      "Action": [
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:GetInstanceProfile",
        "iam:GetRolePolicy"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "PassRoleIAM",
      "Action": [
        "iam:GetRole",
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam:::role/*rNodeInstanceRole*"
      ]
    },
    {
      "Sid": "AllowUseOfKeys",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Effect": "Allow",
      "Condition": {
        "ForAnyValue:StringLike": {
          "kms:ResourceAliases": "alias/*"
        }
      }
      "Resource": [
        "arn:aws:kms:::key/f994198b-e513-4598-8c80-9727c6d7a0be"
      ]
    },
    {
      "Sid": "GrantForSharedKeys",
      "Effect": "Allow",
      "Action": [
          "kms:CreateGrant",
          "kms:ListGrants",
          "kms:RevokeGrant"
      ],
      "Condition": {
        "ForAnyValue:StringLike": {
          "kms:ResourceAliases": "alias/*"
        }
      }
      "Resource": [
        "arn:aws:kms:::key/f994198b-e513-4598-8c80-9727c6d7a0be"
      ]
    },
    {
      "Sid": "AccessEks",
      "Action": [
        "eks:ListClusters"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AccessAutoScalingGroups",
      "Action": [
        "autoscaling:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "SavingsPlan",
      "Action": [
        "savingsplans:Describe*",
        "savingsplans:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Lambda",
      "Action": [
        "lambda:ListFunctions"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "EC2WithRestrictions",
	"Action": [
	"ec2:StopInstances",
	"ec2:StartInstances",
	"ec2:TerminateInstances",
	"ec2:DeleteTags",
	"ec2:DisassociateAddress",
	"ec2:RebootInstances",
	"ec2:UnassignPrivateIpAddresses",
	"ec2:ModifyNetworkInterfaceAttribute",
	"ec2:ModifyImageAttribute",
	"ec2:ModifyInstanceAttribute",
	"ec2:AssociateAddress"
	],
	"Condition": {
	"StringEquals": {
	"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst"
	}
	},
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "GeneralSpotInstancesAccess",
	"Action": [
	"ec2:RequestSpotInstances",
	"ec2:CancelSpotInstanceRequests",
	"ec2:CreateSpotDatafeedSubscription",
	"ec2:Describe*",
	"ec2:ConfirmProductInstance",
	"ec2:CreateTags",
	"ec2:MonitorInstances"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "RunInstanceRestriction",
	"Action": [
	"ec2:RunInstances"
	],
	"Condition": {
	"StringEquals": {
	"ec2:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst"
	}
	},
	"Effect": "Allow",
	"Resource": [
	"arn:aws:ec2:::instance/*"
	]
	},
	{
	"Sid": "AccessELB",
	"Action": [
	"elasticloadbalancing:Describe*",
	"elasticloadbalancing:Deregister*",
	"elasticloadbalancing:Register*",
	"elasticloadbalancing:RemoveTags",
	"elasticloadbalancing:RegisterTargets",
	"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
	"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "AccessIAM",
	"Action": [
	"iam:ListInstanceProfiles",
	"iam:ListInstanceProfilesForRole",
	"iam:ListRoles",
	"iam:ListRolePolicies",
	"iam:GetInstanceProfile",
	"iam:GetRolePolicy"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "PassRoleIAM",
	"Action": [
	"iam:GetRole",
	"iam:PassRole"
	],
	"Effect": "Allow",
	"Resource": [
	"arn:aws:iam:::role/rNodeInstanceRole"
	]
	},
	{
	"Sid": "AllowUseOfKeys",
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey"
	],
	"Effect": "Allow",
	"Condition": {
	"ForAnyValue:StringLike": {
	"kms:ResourceAliases": "alias/*"
	}
	}
	"Resource": [
	"arn:aws:kms:::key/f994198b-e513-4598-8c80-9727c6d7a0be"
	]
	},
	{
	"Sid": "GrantForSharedKeys",
	"Effect": "Allow",
	"Action": [
	"kms:CreateGrant",
	"kms:ListGrants",
	"kms:RevokeGrant"
	],
	"Condition": {
	"ForAnyValue:StringLike": {
	"kms:ResourceAliases": "alias/*"
	}
	}
	"Resource": [
	"arn:aws:kms:::key/f994198b-e513-4598-8c80-9727c6d7a0be"
	]
	},
	{
	"Sid": "AccessEks",
	"Action": [
	"eks:ListClusters"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "AccessAutoScalingGroups",
	"Action": [
	"autoscaling:Describe*"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "SavingsPlan",
	"Action": [
	"savingsplans:Describe*",
	"savingsplans:List*"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	},
	{
	"Sid": "Lambda",
	"Action": [
	"lambda:ListFunctions"
	],
	"Effect": "Allow",
	"Resource": [
	"*"
	]
	}
	]
	}