Last active
August 29, 2022 17:22
-
-
Save stevenfeltner/e95abb4fdcc4668a760d0037c8d70a2d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::922761411349:root" | |
}, | |
"Action": "sts:AssumeRole", | |
"Condition": { | |
"StringEquals": { | |
"sts:ExternalId": "Q5Pj-XOD40CVN6dS9-ei6SDYzz0XwQeuC-VdLy2YwUw-" | |
} | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "ec2withRestrictions", | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:AttachVolume", | |
"ec2:DeleteTags", | |
"ec2:RebootInstances", | |
"ec2:StartInstances", | |
"ec2:StopInstances", | |
"ec2:TerminateInstances", | |
"ec2:DeregisterImage", | |
"ec2:DeleteSnapshot", | |
"ec2:DeleteVolume" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
}, | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "GeneralSpotInstancesAccess", | |
"Action": [ | |
"ec2:RequestSpotInstances", | |
"ec2:CancelSpotInstanceRequests", | |
"ec2:CreateSpotDatafeedSubscription", | |
"ec2:DescribeAccountAttributes", | |
"ec2:DescribeAddresses", | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeBundleTasks", | |
"ec2:DescribeConversionTasks", | |
"ec2:DescribeCustomerGateways", | |
"ec2:DescribeDhcpOptions", | |
"ec2:DescribeExportTasks", | |
"ec2:DescribeHosts", | |
"ec2:DescribeIdentityIdFormat", | |
"ec2:DescribeIdFormat", | |
"ec2:DescribeImageAttribute", | |
"ec2:DescribeImages", | |
"ec2:DescribeImportImageTasks", | |
"ec2:DescribeImportSnapshotTasks", | |
"ec2:DescribeInstanceAttribute", | |
"ec2:DescribeInstances", | |
"ec2:DescribeInstanceStatus", | |
"ec2:DescribeInternetGateways", | |
"ec2:DescribeFlowLogs", | |
"ec2:DescribeKeyPairs", | |
"ec2:DescribeMovingAddresses", | |
"ec2:DescribeNatGateways", | |
"ec2:DescribeNetworkAcls", | |
"ec2:DescribeNetworkInterfaceAttribute", | |
"ec2:DescribeNetworkInterfaces", | |
"ec2:DescribePlacementGroups", | |
"ec2:DescribePrefixLists", | |
"ec2:DescribeRegions", | |
"ec2:DescribeReservedInstances", | |
"ec2:DescribeReservedInstancesListings", | |
"ec2:DescribeReservedInstancesModifications", | |
"ec2:DescribeReservedInstancesOfferings", | |
"ec2:DescribeRouteTables", | |
"ec2:DescribeScheduledInstanceAvailability", | |
"ec2:DescribeScheduledInstances", | |
"ec2:DescribeSecurityGroupReferences", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeStaleSecurityGroups", | |
"ec2:DescribeSnapshotAttribute", | |
"ec2:DescribeSnapshots", | |
"ec2:DescribeSpotDatafeedSubscription", | |
"ec2:DescribeSpotFleetInstances", | |
"ec2:DescribeSpotFleetRequestHistory", | |
"ec2:DescribeSpotFleetRequests", | |
"ec2:DescribeSpotInstanceRequests", | |
"ec2:DescribeSpotPriceHistory", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeTags", | |
"ec2:DescribeVolumeAttribute", | |
"ec2:DescribeVolumes", | |
"ec2:DescribeVolumeStatus", | |
"ec2:DescribeVpcAttribute", | |
"ec2:DescribeVpcEndpoints", | |
"ec2:DescribeVpcEndpointServices", | |
"ec2:DescribeVpcPeeringConnections", | |
"ec2:DescribeVpcs", | |
"ec2:DescribeVpnConnections", | |
"ec2:DescribeVpnGateways", | |
"ec2:DescribeLaunchTemplates", | |
"ec2:DescribeLaunchTemplateVersions", | |
"ec2:AssociateAddress", | |
"ec2:RunInstances", | |
"ec2:CreateTags", | |
"ec2:ConfirmProductInstance", | |
"ec2:CopyImage", | |
"ec2:CopySnapshot", | |
"ec2:CreateImage", | |
"ec2:CreateSnapshot", | |
"ec2:CreateVolume", | |
"ec2:DisassociateAddress", | |
"ec2:ModifyImageAttribute", | |
"ec2:ModifyInstanceAttribute", | |
"ec2:MonitorInstances", | |
"ec2:RegisterImage", | |
"ec2:UnassignPrivateIpAddresses", | |
"ec2:ModifyNetworkInterfaceAttribute" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessELB", | |
"Action": [ | |
"elasticloadbalancing:DescribeInstanceHealth", | |
"elasticloadbalancing:DescribeListeners", | |
"elasticloadbalancing:DescribeLoadBalancerAttributes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicies", | |
"elasticloadbalancing:DescribeLoadBalancers", | |
"elasticloadbalancing:DescribeRules", | |
"elasticloadbalancing:DescribeSSLPolicies", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:DescribeTargetGroupAttributes", | |
"elasticloadbalancing:DescribeTargetGroups", | |
"elasticloadbalancing:DescribeTargetHealth", | |
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
"elasticloadbalancing:DeregisterTargets", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:CreateTargetGroup", | |
"elasticloadbalancing:ModifyRule", | |
"elasticloadbalancing:AddTags", | |
"elasticloadbalancing:ModifyTargetGroupAttributes", | |
"elasticloadbalancing:ModifyTargetGroup", | |
"elasticloadbalancing:ModifyListener" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessCloudWatch", | |
"Action": [ | |
"cloudwatch:DescribeAlarmHistory", | |
"cloudwatch:DescribeAlarms", | |
"cloudwatch:DescribeAlarmsForMetric", | |
"cloudwatch:GetMetricStatistics", | |
"cloudwatch:ListMetrics", | |
"cloudwatch:PutMetricData", | |
"cloudwatch:PutMetricAlarm" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessIAM", | |
"Action": [ | |
"iam:ListInstanceProfiles", | |
"iam:ListInstanceProfilesForRole", | |
"iam:ListRoles", | |
"iam:GetInstanceProfile", | |
"iam:GetRolePolicy", | |
"iam:ListRolePolicies", | |
"iam:PassRole" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessAutoScalingGroups", | |
"Action": [ | |
"autoscaling:DescribeAccountLimits", | |
"autoscaling:DescribeAdjustmentTypes", | |
"autoscaling:DescribeAutoScalingGroups", | |
"autoscaling:DescribeAutoScalingInstances", | |
"autoscaling:DescribeAutoScalingNotificationTypes", | |
"autoscaling:DescribeLaunchConfigurations", | |
"autoscaling:DescribeLifecycleHooks", | |
"autoscaling:DescribeLifecycleHookTypes", | |
"autoscaling:DescribeLoadBalancers", | |
"autoscaling:DescribeLoadBalancerTargetGroups", | |
"autoscaling:DescribeMetricCollectionTypes", | |
"autoscaling:DescribeNotificationConfigurations", | |
"autoscaling:DescribePolicies", | |
"autoscaling:DescribeScalingActivities", | |
"autoscaling:DescribeScalingProcessTypes", | |
"autoscaling:DescribeScheduledActions", | |
"autoscaling:DescribeTags", | |
"autoscaling:DescribeTerminationPolicyTypes", | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "SavingsPlan", | |
"Action": [ | |
"savingsplans:DescribeSavingsPlanRates", | |
"savingsplans:DescribeSavingsPlans", | |
"savingsplans:DescribeSavingsPlansOfferingRates", | |
"savingsplans:DescribeSavingsPlansOfferings", | |
"savingsplans:ListTagsForResource" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "Lambda", | |
"Action": [ | |
"lambda:ListFunctions" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"kms:ResourceAliases": "{{ key_alias }}" | |
} | |
}, | |
"Resource": [ | |
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "ec2withRestrictions", | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:AttachVolume", | |
"ec2:DeleteTags", | |
"ec2:RebootInstances", | |
"ec2:StartInstances", | |
"ec2:StopInstances", | |
"ec2:TerminateInstances", | |
"ec2:DeregisterImage", | |
"ec2:DeleteSnapshot", | |
"ec2:DeleteVolume" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
}, | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "GeneralSpotInstancesAccess", | |
"Action": [ | |
"ec2:RequestSpotInstances", | |
"ec2:CancelSpotInstanceRequests", | |
"ec2:CreateSpotDatafeedSubscription", | |
"ec2:DescribeAccountAttributes", | |
"ec2:DescribeAddresses", | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeBundleTasks", | |
"ec2:DescribeConversionTasks", | |
"ec2:DescribeCustomerGateways", | |
"ec2:DescribeDhcpOptions", | |
"ec2:DescribeExportTasks", | |
"ec2:DescribeHosts", | |
"ec2:DescribeIdentityIdFormat", | |
"ec2:DescribeIdFormat", | |
"ec2:DescribeImageAttribute", | |
"ec2:DescribeImages", | |
"ec2:DescribeImportImageTasks", | |
"ec2:DescribeImportSnapshotTasks", | |
"ec2:DescribeInstanceAttribute", | |
"ec2:DescribeInstances", | |
"ec2:DescribeInstanceStatus", | |
"ec2:DescribeInternetGateways", | |
"ec2:DescribeFlowLogs", | |
"ec2:DescribeKeyPairs", | |
"ec2:DescribeMovingAddresses", | |
"ec2:DescribeNatGateways", | |
"ec2:DescribeNetworkAcls", | |
"ec2:DescribeNetworkInterfaceAttribute", | |
"ec2:DescribeNetworkInterfaces", | |
"ec2:DescribePlacementGroups", | |
"ec2:DescribePrefixLists", | |
"ec2:DescribeRegions", | |
"ec2:DescribeReservedInstances", | |
"ec2:DescribeReservedInstancesListings", | |
"ec2:DescribeReservedInstancesModifications", | |
"ec2:DescribeReservedInstancesOfferings", | |
"ec2:DescribeRouteTables", | |
"ec2:DescribeScheduledInstanceAvailability", | |
"ec2:DescribeScheduledInstances", | |
"ec2:DescribeSecurityGroupReferences", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeStaleSecurityGroups", | |
"ec2:DescribeSnapshotAttribute", | |
"ec2:DescribeSnapshots", | |
"ec2:DescribeSpotDatafeedSubscription", | |
"ec2:DescribeSpotFleetInstances", | |
"ec2:DescribeSpotFleetRequestHistory", | |
"ec2:DescribeSpotFleetRequests", | |
"ec2:DescribeSpotInstanceRequests", | |
"ec2:DescribeSpotPriceHistory", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeTags", | |
"ec2:DescribeVolumeAttribute", | |
"ec2:DescribeVolumes", | |
"ec2:DescribeVolumeStatus", | |
"ec2:DescribeVpcAttribute", | |
"ec2:DescribeVpcEndpoints", | |
"ec2:DescribeVpcEndpointServices", | |
"ec2:DescribeVpcPeeringConnections", | |
"ec2:DescribeVpcs", | |
"ec2:DescribeVpnConnections", | |
"ec2:DescribeVpnGateways", | |
"ec2:DescribeLaunchTemplates", | |
"ec2:DescribeLaunchTemplateVersions", | |
"ec2:AssociateAddress", | |
"ec2:RunInstances", | |
"ec2:CreateTags", | |
"ec2:ConfirmProductInstance", | |
"ec2:CopyImage", | |
"ec2:CopySnapshot", | |
"ec2:CreateImage", | |
"ec2:CreateSnapshot", | |
"ec2:CreateVolume", | |
"ec2:DisassociateAddress", | |
"ec2:ModifyImageAttribute", | |
"ec2:ModifyInstanceAttribute", | |
"ec2:MonitorInstances", | |
"ec2:RegisterImage", | |
"ec2:UnassignPrivateIpAddresses", | |
"ec2:ModifyNetworkInterfaceAttribute" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessELB", | |
"Action": [ | |
"elasticloadbalancing:DescribeInstanceHealth", | |
"elasticloadbalancing:DescribeListeners", | |
"elasticloadbalancing:DescribeLoadBalancerAttributes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicies", | |
"elasticloadbalancing:DescribeLoadBalancers", | |
"elasticloadbalancing:DescribeRules", | |
"elasticloadbalancing:DescribeSSLPolicies", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:DescribeTargetGroupAttributes", | |
"elasticloadbalancing:DescribeTargetGroups", | |
"elasticloadbalancing:DescribeTargetHealth", | |
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
"elasticloadbalancing:DeregisterTargets", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:CreateTargetGroup", | |
"elasticloadbalancing:ModifyRule", | |
"elasticloadbalancing:AddTags", | |
"elasticloadbalancing:ModifyTargetGroupAttributes", | |
"elasticloadbalancing:ModifyTargetGroup", | |
"elasticloadbalancing:ModifyListener" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessCloudWatch", | |
"Action": [ | |
"cloudwatch:DescribeAlarmHistory", | |
"cloudwatch:DescribeAlarms", | |
"cloudwatch:DescribeAlarmsForMetric", | |
"cloudwatch:GetMetricStatistics", | |
"cloudwatch:ListMetrics", | |
"cloudwatch:PutMetricData", | |
"cloudwatch:PutMetricAlarm" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessIAM", | |
"Action": [ | |
"iam:ListInstanceProfiles", | |
"iam:ListInstanceProfilesForRole", | |
"iam:ListRoles", | |
"iam:GetInstanceProfile", | |
"iam:GetRolePolicy", | |
"iam:ListRolePolicies", | |
"iam:PassRole" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessAutoScalingGroups", | |
"Action": [ | |
"autoscaling:DescribeAccountLimits", | |
"autoscaling:DescribeAdjustmentTypes", | |
"autoscaling:DescribeAutoScalingGroups", | |
"autoscaling:DescribeAutoScalingInstances", | |
"autoscaling:DescribeAutoScalingNotificationTypes", | |
"autoscaling:DescribeLaunchConfigurations", | |
"autoscaling:DescribeLifecycleHooks", | |
"autoscaling:DescribeLifecycleHookTypes", | |
"autoscaling:DescribeLoadBalancers", | |
"autoscaling:DescribeLoadBalancerTargetGroups", | |
"autoscaling:DescribeMetricCollectionTypes", | |
"autoscaling:DescribeNotificationConfigurations", | |
"autoscaling:DescribePolicies", | |
"autoscaling:DescribeScalingActivities", | |
"autoscaling:DescribeScalingProcessTypes", | |
"autoscaling:DescribeScheduledActions", | |
"autoscaling:DescribeTags", | |
"autoscaling:DescribeTerminationPolicyTypes", | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessEks", | |
"Action": [ | |
"eks:ListClusters" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessECS", | |
"Action": [ | |
"ecs:List*", | |
"ecs:Describe*", | |
"ecs:DeregisterContainerInstance", | |
"ecs:UpdateContainerInstancesState", | |
"ecs:RegisterTaskDefinition", | |
"ecs:CreateService" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "SavingsPlan", | |
"Action": [ | |
"savingsplans:DescribeSavingsPlanRates", | |
"savingsplans:DescribeSavingsPlans", | |
"savingsplans:DescribeSavingsPlansOfferingRates", | |
"savingsplans:DescribeSavingsPlansOfferings", | |
"savingsplans:ListTagsForResource" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "Lambda", | |
"Action": [ | |
"lambda:ListFunctions" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"kms:ResourceAliases": "{{ key_alias }}" | |
} | |
}, | |
"Resource": [ | |
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "EC2WithRestrictions", | |
"Action": [ | |
"ec2:AttachVolume", | |
"ec2:DeleteTags", | |
"ec2:RebootInstances", | |
"ec2:StartInstances", | |
"ec2:StopInstances", | |
"ec2:TerminateInstances", | |
"ec2:DeleteTags", | |
"ec2:UnassignPrivateIpAddresses", | |
"ec2:ModifyNetworkInterfaceAttribute", | |
"ec2:ModifyImageAttribute", | |
"ec2:ModifyInstanceAttribute", | |
"ec2:AssociateAddress" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "EC2Access", | |
"Action": [ | |
"ec2:RequestSpotInstances", | |
"ec2:CancelSpotInstanceRequests", | |
"ec2:CreateSpotDatafeedSubscription", | |
"ec2:DescribeAccountAttributes", | |
"ec2:DescribeAddresses", | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeBundleTasks", | |
"ec2:DescribeConversionTasks", | |
"ec2:DescribeCustomerGateways", | |
"ec2:DescribeDhcpOptions", | |
"ec2:DescribeExportTasks", | |
"ec2:DescribeHosts", | |
"ec2:DescribeIdentityIdFormat", | |
"ec2:DescribeIdFormat", | |
"ec2:DescribeImageAttribute", | |
"ec2:DescribeImages", | |
"ec2:DescribeImportImageTasks", | |
"ec2:DescribeImportSnapshotTasks", | |
"ec2:DescribeInstanceAttribute", | |
"ec2:DescribeInstances", | |
"ec2:DescribeInstanceStatus", | |
"ec2:DescribeInternetGateways", | |
"ec2:DescribeFlowLogs", | |
"ec2:DescribeKeyPairs", | |
"ec2:DescribeMovingAddresses", | |
"ec2:DescribeNatGateways", | |
"ec2:DescribeNetworkAcls", | |
"ec2:DescribeNetworkInterfaceAttribute", | |
"ec2:DescribeNetworkInterfaces", | |
"ec2:DescribePlacementGroups", | |
"ec2:DescribePrefixLists", | |
"ec2:DescribeRegions", | |
"ec2:DescribeReservedInstances", | |
"ec2:DescribeReservedInstancesListings", | |
"ec2:DescribeReservedInstancesModifications", | |
"ec2:DescribeReservedInstancesOfferings", | |
"ec2:DescribeRouteTables", | |
"ec2:DescribeScheduledInstanceAvailability", | |
"ec2:DescribeScheduledInstances", | |
"ec2:DescribeSecurityGroupReferences", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeStaleSecurityGroups", | |
"ec2:DescribeSnapshotAttribute", | |
"ec2:DescribeSnapshots", | |
"ec2:DescribeSpotDatafeedSubscription", | |
"ec2:DescribeSpotFleetInstances", | |
"ec2:DescribeSpotFleetRequestHistory", | |
"ec2:DescribeSpotFleetRequests", | |
"ec2:DescribeSpotInstanceRequests", | |
"ec2:DescribeSpotPriceHistory", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeTags", | |
"ec2:DescribeVolumeAttribute", | |
"ec2:DescribeVolumes", | |
"ec2:DescribeVolumeStatus", | |
"ec2:DescribeVpcAttribute", | |
"ec2:DescribeVpcEndpoints", | |
"ec2:DescribeVpcEndpointServices", | |
"ec2:DescribeVpcPeeringConnections", | |
"ec2:DescribeVpcs", | |
"ec2:DescribeVpnConnections", | |
"ec2:DescribeVpnGateways", | |
"ec2:DescribeLaunchTemplates", | |
"ec2:DescribeLaunchTemplateVersions", | |
"ec2:AssociateAddress", | |
"ec2:RunInstances", | |
"ec2:CreateTags", | |
"ec2:ConfirmProductInstance", | |
"ec2:CopyImage", | |
"ec2:CopySnapshot", | |
"ec2:CreateImage", | |
"ec2:CreateSnapshot", | |
"ec2:CreateVolume", | |
"ec2:DisassociateAddress", | |
"ec2:ModifyImageAttribute", | |
"ec2:ModifyInstanceAttribute", | |
"ec2:MonitorInstances", | |
"ec2:RegisterImage", | |
"ec2:UnassignPrivateIpAddresses", | |
"ec2:ModifyNetworkInterfaceAttribute" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessELB", | |
"Action": [ | |
"elasticloadbalancing:DescribeInstanceHealth", | |
"elasticloadbalancing:DescribeListeners", | |
"elasticloadbalancing:DescribeLoadBalancerAttributes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
"elasticloadbalancing:DescribeLoadBalancerPolicies", | |
"elasticloadbalancing:DescribeLoadBalancers", | |
"elasticloadbalancing:DescribeRules", | |
"elasticloadbalancing:DescribeSSLPolicies", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:DescribeTargetGroupAttributes", | |
"elasticloadbalancing:DescribeTargetGroups", | |
"elasticloadbalancing:DescribeTargetHealth", | |
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
"elasticloadbalancing:DeregisterTargets", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
"elasticloadbalancing:DescribeTags", | |
"elasticloadbalancing:CreateTargetGroup", | |
"elasticloadbalancing:ModifyRule", | |
"elasticloadbalancing:AddTags", | |
"elasticloadbalancing:ModifyTargetGroupAttributes", | |
"elasticloadbalancing:ModifyTargetGroup", | |
"elasticloadbalancing:ModifyListener" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessCloudWatch", | |
"Action": [ | |
"cloudwatch:DescribeAlarmHistory", | |
"cloudwatch:DescribeAlarms", | |
"cloudwatch:DescribeAlarmsForMetric", | |
"cloudwatch:GetMetricStatistics", | |
"cloudwatch:ListMetrics" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessIAM", | |
"Action": [ | |
"iam:ListInstanceProfiles", | |
"iam:ListInstanceProfilesForRole", | |
"iam:ListRoles", | |
"iam:ListRolePolicies", | |
"iam:GetInstanceProfile", | |
"iam:GetRolePolicy", | |
"iam:CreateServiceLinkedRole", | |
"iam:PassRole" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessEks", | |
"Action": [ | |
"eks:ListClusters" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessECS", | |
"Action": [ | |
"ecs:ListAttributes", | |
"ecs:ListServices", | |
"ecs:ListAccountSettings", | |
"ecs:ListTagsForResource", | |
"ecs:ListTasks", | |
"ecs:ListTaskDefinitionFamilies", | |
"ecs:ListContainerInstances", | |
"ecs:ListTaskDefinitions", | |
"ecs:ListClusters" | |
"ecs:DescribeTaskSets", | |
"ecs:DescribeTaskDefinition", | |
"ecs:DescribeClusters", | |
"ecs:DescribeCapacityProviders", | |
"ecs:DescribeServices", | |
"ecs:DescribeContainerInstances", | |
"ecs:DescribeTasks", | |
"ecs:DeregisterContainerInstance", | |
"ecs:UpdateContainerInstancesState", | |
"ecs:RegisterTaskDefinition", | |
"ecs:CreateService" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AccessAutoScalingGroups", | |
"Action": [ | |
"autoscaling:DescribeAccountLimits", | |
"autoscaling:DescribeAdjustmentTypes", | |
"autoscaling:DescribeAutoScalingGroups", | |
"autoscaling:DescribeAutoScalingInstances", | |
"autoscaling:DescribeAutoScalingNotificationTypes", | |
"autoscaling:DescribeLaunchConfigurations", | |
"autoscaling:DescribeLifecycleHooks", | |
"autoscaling:DescribeLifecycleHookTypes", | |
"autoscaling:DescribeLoadBalancers", | |
"autoscaling:DescribeLoadBalancerTargetGroups", | |
"autoscaling:DescribeMetricCollectionTypes", | |
"autoscaling:DescribeNotificationConfigurations", | |
"autoscaling:DescribePolicies", | |
"autoscaling:DescribeScalingActivities", | |
"autoscaling:DescribeScalingProcessTypes", | |
"autoscaling:DescribeScheduledActions", | |
"autoscaling:DescribeTags", | |
"autoscaling:DescribeTerminationPolicyTypes", | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "AllowKMS", | |
"Effect": "Allow", | |
"Action": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncryptFrom", | |
"kms:ReEncryptTo", | |
"kms:GenerateDataKey", | |
"kms:GenerateDataKeyWithoutPlaintext", | |
"kms:GenerateDataKeyPairWithoutPlaintext", | |
"kms:GenerateDataKeyPair" | |
"kms:DescribeKey" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"kms:ResourceAliases": "{{ key_alias }}" | |
} | |
}, | |
"Resource": [ | |
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
] | |
}, | |
{ | |
"Sid": "AllowCrossAccountKMS", | |
"Effect": "Allow", | |
"Action": [ | |
"kms:CreateGrant", | |
"kms:ListGrants", | |
"kms:RevokeGrant" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "SavingsPlan", | |
"Action": [ | |
"savingsplans:DescribeSavingsPlanRates", | |
"savingsplans:DescribeSavingsPlans", | |
"savingsplans:DescribeSavingsPlansOfferingRates", | |
"savingsplans:DescribeSavingsPlansOfferings", | |
"savingsplans:ListTagsForResource" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "Lambda", | |
"Action": [ | |
"lambda:ListFunctions" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment