Last active
August 29, 2022 17:22
-
-
Save stevenfeltner/e95abb4fdcc4668a760d0037c8d70a2d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::922761411349:root" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "Q5Pj-XOD40CVN6dS9-ei6SDYzz0XwQeuC-VdLy2YwUw-" | |
| } | |
| } | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "ec2withRestrictions", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AttachVolume", | |
| "ec2:DeleteTags", | |
| "ec2:RebootInstances", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:DeregisterImage", | |
| "ec2:DeleteSnapshot", | |
| "ec2:DeleteVolume" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
| } | |
| }, | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "GeneralSpotInstancesAccess", | |
| "Action": [ | |
| "ec2:RequestSpotInstances", | |
| "ec2:CancelSpotInstanceRequests", | |
| "ec2:CreateSpotDatafeedSubscription", | |
| "ec2:DescribeAccountAttributes", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeBundleTasks", | |
| "ec2:DescribeConversionTasks", | |
| "ec2:DescribeCustomerGateways", | |
| "ec2:DescribeDhcpOptions", | |
| "ec2:DescribeExportTasks", | |
| "ec2:DescribeHosts", | |
| "ec2:DescribeIdentityIdFormat", | |
| "ec2:DescribeIdFormat", | |
| "ec2:DescribeImageAttribute", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeImportImageTasks", | |
| "ec2:DescribeImportSnapshotTasks", | |
| "ec2:DescribeInstanceAttribute", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInstanceStatus", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeFlowLogs", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:DescribeMovingAddresses", | |
| "ec2:DescribeNatGateways", | |
| "ec2:DescribeNetworkAcls", | |
| "ec2:DescribeNetworkInterfaceAttribute", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DescribePlacementGroups", | |
| "ec2:DescribePrefixLists", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeReservedInstances", | |
| "ec2:DescribeReservedInstancesListings", | |
| "ec2:DescribeReservedInstancesModifications", | |
| "ec2:DescribeReservedInstancesOfferings", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeScheduledInstanceAvailability", | |
| "ec2:DescribeScheduledInstances", | |
| "ec2:DescribeSecurityGroupReferences", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeStaleSecurityGroups", | |
| "ec2:DescribeSnapshotAttribute", | |
| "ec2:DescribeSnapshots", | |
| "ec2:DescribeSpotDatafeedSubscription", | |
| "ec2:DescribeSpotFleetInstances", | |
| "ec2:DescribeSpotFleetRequestHistory", | |
| "ec2:DescribeSpotFleetRequests", | |
| "ec2:DescribeSpotInstanceRequests", | |
| "ec2:DescribeSpotPriceHistory", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVolumeAttribute", | |
| "ec2:DescribeVolumes", | |
| "ec2:DescribeVolumeStatus", | |
| "ec2:DescribeVpcAttribute", | |
| "ec2:DescribeVpcEndpoints", | |
| "ec2:DescribeVpcEndpointServices", | |
| "ec2:DescribeVpcPeeringConnections", | |
| "ec2:DescribeVpcs", | |
| "ec2:DescribeVpnConnections", | |
| "ec2:DescribeVpnGateways", | |
| "ec2:DescribeLaunchTemplates", | |
| "ec2:DescribeLaunchTemplateVersions", | |
| "ec2:AssociateAddress", | |
| "ec2:RunInstances", | |
| "ec2:CreateTags", | |
| "ec2:ConfirmProductInstance", | |
| "ec2:CopyImage", | |
| "ec2:CopySnapshot", | |
| "ec2:CreateImage", | |
| "ec2:CreateSnapshot", | |
| "ec2:CreateVolume", | |
| "ec2:DisassociateAddress", | |
| "ec2:ModifyImageAttribute", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:MonitorInstances", | |
| "ec2:RegisterImage", | |
| "ec2:UnassignPrivateIpAddresses", | |
| "ec2:ModifyNetworkInterfaceAttribute" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessELB", | |
| "Action": [ | |
| "elasticloadbalancing:DescribeInstanceHealth", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicies", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeRules", | |
| "elasticloadbalancing:DescribeSSLPolicies", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:DescribeTargetGroupAttributes", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:ModifyRule", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyListener" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessCloudWatch", | |
| "Action": [ | |
| "cloudwatch:DescribeAlarmHistory", | |
| "cloudwatch:DescribeAlarms", | |
| "cloudwatch:DescribeAlarmsForMetric", | |
| "cloudwatch:GetMetricStatistics", | |
| "cloudwatch:ListMetrics", | |
| "cloudwatch:PutMetricData", | |
| "cloudwatch:PutMetricAlarm" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessIAM", | |
| "Action": [ | |
| "iam:ListInstanceProfiles", | |
| "iam:ListInstanceProfilesForRole", | |
| "iam:ListRoles", | |
| "iam:GetInstanceProfile", | |
| "iam:GetRolePolicy", | |
| "iam:ListRolePolicies", | |
| "iam:PassRole" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessAutoScalingGroups", | |
| "Action": [ | |
| "autoscaling:DescribeAccountLimits", | |
| "autoscaling:DescribeAdjustmentTypes", | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeAutoScalingInstances", | |
| "autoscaling:DescribeAutoScalingNotificationTypes", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeLifecycleHooks", | |
| "autoscaling:DescribeLifecycleHookTypes", | |
| "autoscaling:DescribeLoadBalancers", | |
| "autoscaling:DescribeLoadBalancerTargetGroups", | |
| "autoscaling:DescribeMetricCollectionTypes", | |
| "autoscaling:DescribeNotificationConfigurations", | |
| "autoscaling:DescribePolicies", | |
| "autoscaling:DescribeScalingActivities", | |
| "autoscaling:DescribeScalingProcessTypes", | |
| "autoscaling:DescribeScheduledActions", | |
| "autoscaling:DescribeTags", | |
| "autoscaling:DescribeTerminationPolicyTypes", | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "SavingsPlan", | |
| "Action": [ | |
| "savingsplans:DescribeSavingsPlanRates", | |
| "savingsplans:DescribeSavingsPlans", | |
| "savingsplans:DescribeSavingsPlansOfferingRates", | |
| "savingsplans:DescribeSavingsPlansOfferings", | |
| "savingsplans:ListTagsForResource" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "Lambda", | |
| "Action": [ | |
| "lambda:ListFunctions" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "kms:Encrypt", | |
| "kms:Decrypt", | |
| "kms:ReEncrypt*", | |
| "kms:GenerateDataKey*", | |
| "kms:DescribeKey" | |
| ], | |
| "Condition": { | |
| "ForAnyValue:StringLike": { | |
| "kms:ResourceAliases": "{{ key_alias }}" | |
| } | |
| }, | |
| "Resource": [ | |
| "arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
| ] | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "ec2withRestrictions", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AttachVolume", | |
| "ec2:DeleteTags", | |
| "ec2:RebootInstances", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:DeregisterImage", | |
| "ec2:DeleteSnapshot", | |
| "ec2:DeleteVolume" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
| } | |
| }, | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "GeneralSpotInstancesAccess", | |
| "Action": [ | |
| "ec2:RequestSpotInstances", | |
| "ec2:CancelSpotInstanceRequests", | |
| "ec2:CreateSpotDatafeedSubscription", | |
| "ec2:DescribeAccountAttributes", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeBundleTasks", | |
| "ec2:DescribeConversionTasks", | |
| "ec2:DescribeCustomerGateways", | |
| "ec2:DescribeDhcpOptions", | |
| "ec2:DescribeExportTasks", | |
| "ec2:DescribeHosts", | |
| "ec2:DescribeIdentityIdFormat", | |
| "ec2:DescribeIdFormat", | |
| "ec2:DescribeImageAttribute", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeImportImageTasks", | |
| "ec2:DescribeImportSnapshotTasks", | |
| "ec2:DescribeInstanceAttribute", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInstanceStatus", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeFlowLogs", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:DescribeMovingAddresses", | |
| "ec2:DescribeNatGateways", | |
| "ec2:DescribeNetworkAcls", | |
| "ec2:DescribeNetworkInterfaceAttribute", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DescribePlacementGroups", | |
| "ec2:DescribePrefixLists", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeReservedInstances", | |
| "ec2:DescribeReservedInstancesListings", | |
| "ec2:DescribeReservedInstancesModifications", | |
| "ec2:DescribeReservedInstancesOfferings", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeScheduledInstanceAvailability", | |
| "ec2:DescribeScheduledInstances", | |
| "ec2:DescribeSecurityGroupReferences", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeStaleSecurityGroups", | |
| "ec2:DescribeSnapshotAttribute", | |
| "ec2:DescribeSnapshots", | |
| "ec2:DescribeSpotDatafeedSubscription", | |
| "ec2:DescribeSpotFleetInstances", | |
| "ec2:DescribeSpotFleetRequestHistory", | |
| "ec2:DescribeSpotFleetRequests", | |
| "ec2:DescribeSpotInstanceRequests", | |
| "ec2:DescribeSpotPriceHistory", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVolumeAttribute", | |
| "ec2:DescribeVolumes", | |
| "ec2:DescribeVolumeStatus", | |
| "ec2:DescribeVpcAttribute", | |
| "ec2:DescribeVpcEndpoints", | |
| "ec2:DescribeVpcEndpointServices", | |
| "ec2:DescribeVpcPeeringConnections", | |
| "ec2:DescribeVpcs", | |
| "ec2:DescribeVpnConnections", | |
| "ec2:DescribeVpnGateways", | |
| "ec2:DescribeLaunchTemplates", | |
| "ec2:DescribeLaunchTemplateVersions", | |
| "ec2:AssociateAddress", | |
| "ec2:RunInstances", | |
| "ec2:CreateTags", | |
| "ec2:ConfirmProductInstance", | |
| "ec2:CopyImage", | |
| "ec2:CopySnapshot", | |
| "ec2:CreateImage", | |
| "ec2:CreateSnapshot", | |
| "ec2:CreateVolume", | |
| "ec2:DisassociateAddress", | |
| "ec2:ModifyImageAttribute", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:MonitorInstances", | |
| "ec2:RegisterImage", | |
| "ec2:UnassignPrivateIpAddresses", | |
| "ec2:ModifyNetworkInterfaceAttribute" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessELB", | |
| "Action": [ | |
| "elasticloadbalancing:DescribeInstanceHealth", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicies", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeRules", | |
| "elasticloadbalancing:DescribeSSLPolicies", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:DescribeTargetGroupAttributes", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:ModifyRule", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyListener" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessCloudWatch", | |
| "Action": [ | |
| "cloudwatch:DescribeAlarmHistory", | |
| "cloudwatch:DescribeAlarms", | |
| "cloudwatch:DescribeAlarmsForMetric", | |
| "cloudwatch:GetMetricStatistics", | |
| "cloudwatch:ListMetrics", | |
| "cloudwatch:PutMetricData", | |
| "cloudwatch:PutMetricAlarm" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessIAM", | |
| "Action": [ | |
| "iam:ListInstanceProfiles", | |
| "iam:ListInstanceProfilesForRole", | |
| "iam:ListRoles", | |
| "iam:GetInstanceProfile", | |
| "iam:GetRolePolicy", | |
| "iam:ListRolePolicies", | |
| "iam:PassRole" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessAutoScalingGroups", | |
| "Action": [ | |
| "autoscaling:DescribeAccountLimits", | |
| "autoscaling:DescribeAdjustmentTypes", | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeAutoScalingInstances", | |
| "autoscaling:DescribeAutoScalingNotificationTypes", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeLifecycleHooks", | |
| "autoscaling:DescribeLifecycleHookTypes", | |
| "autoscaling:DescribeLoadBalancers", | |
| "autoscaling:DescribeLoadBalancerTargetGroups", | |
| "autoscaling:DescribeMetricCollectionTypes", | |
| "autoscaling:DescribeNotificationConfigurations", | |
| "autoscaling:DescribePolicies", | |
| "autoscaling:DescribeScalingActivities", | |
| "autoscaling:DescribeScalingProcessTypes", | |
| "autoscaling:DescribeScheduledActions", | |
| "autoscaling:DescribeTags", | |
| "autoscaling:DescribeTerminationPolicyTypes", | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessEks", | |
| "Action": [ | |
| "eks:ListClusters" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessECS", | |
| "Action": [ | |
| "ecs:List*", | |
| "ecs:Describe*", | |
| "ecs:DeregisterContainerInstance", | |
| "ecs:UpdateContainerInstancesState", | |
| "ecs:RegisterTaskDefinition", | |
| "ecs:CreateService" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "SavingsPlan", | |
| "Action": [ | |
| "savingsplans:DescribeSavingsPlanRates", | |
| "savingsplans:DescribeSavingsPlans", | |
| "savingsplans:DescribeSavingsPlansOfferingRates", | |
| "savingsplans:DescribeSavingsPlansOfferings", | |
| "savingsplans:ListTagsForResource" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "Lambda", | |
| "Action": [ | |
| "lambda:ListFunctions" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "kms:Encrypt", | |
| "kms:Decrypt", | |
| "kms:ReEncrypt*", | |
| "kms:GenerateDataKey*", | |
| "kms:DescribeKey" | |
| ], | |
| "Condition": { | |
| "ForAnyValue:StringLike": { | |
| "kms:ResourceAliases": "{{ key_alias }}" | |
| } | |
| }, | |
| "Resource": [ | |
| "arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
| ] | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "EC2WithRestrictions", | |
| "Action": [ | |
| "ec2:AttachVolume", | |
| "ec2:DeleteTags", | |
| "ec2:RebootInstances", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:DeleteTags", | |
| "ec2:UnassignPrivateIpAddresses", | |
| "ec2:ModifyNetworkInterfaceAttribute", | |
| "ec2:ModifyImageAttribute", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:AssociateAddress" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
| } | |
| }, | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "EC2Access", | |
| "Action": [ | |
| "ec2:RequestSpotInstances", | |
| "ec2:CancelSpotInstanceRequests", | |
| "ec2:CreateSpotDatafeedSubscription", | |
| "ec2:DescribeAccountAttributes", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeBundleTasks", | |
| "ec2:DescribeConversionTasks", | |
| "ec2:DescribeCustomerGateways", | |
| "ec2:DescribeDhcpOptions", | |
| "ec2:DescribeExportTasks", | |
| "ec2:DescribeHosts", | |
| "ec2:DescribeIdentityIdFormat", | |
| "ec2:DescribeIdFormat", | |
| "ec2:DescribeImageAttribute", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeImportImageTasks", | |
| "ec2:DescribeImportSnapshotTasks", | |
| "ec2:DescribeInstanceAttribute", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInstanceStatus", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeFlowLogs", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:DescribeMovingAddresses", | |
| "ec2:DescribeNatGateways", | |
| "ec2:DescribeNetworkAcls", | |
| "ec2:DescribeNetworkInterfaceAttribute", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DescribePlacementGroups", | |
| "ec2:DescribePrefixLists", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeReservedInstances", | |
| "ec2:DescribeReservedInstancesListings", | |
| "ec2:DescribeReservedInstancesModifications", | |
| "ec2:DescribeReservedInstancesOfferings", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeScheduledInstanceAvailability", | |
| "ec2:DescribeScheduledInstances", | |
| "ec2:DescribeSecurityGroupReferences", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeStaleSecurityGroups", | |
| "ec2:DescribeSnapshotAttribute", | |
| "ec2:DescribeSnapshots", | |
| "ec2:DescribeSpotDatafeedSubscription", | |
| "ec2:DescribeSpotFleetInstances", | |
| "ec2:DescribeSpotFleetRequestHistory", | |
| "ec2:DescribeSpotFleetRequests", | |
| "ec2:DescribeSpotInstanceRequests", | |
| "ec2:DescribeSpotPriceHistory", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVolumeAttribute", | |
| "ec2:DescribeVolumes", | |
| "ec2:DescribeVolumeStatus", | |
| "ec2:DescribeVpcAttribute", | |
| "ec2:DescribeVpcEndpoints", | |
| "ec2:DescribeVpcEndpointServices", | |
| "ec2:DescribeVpcPeeringConnections", | |
| "ec2:DescribeVpcs", | |
| "ec2:DescribeVpnConnections", | |
| "ec2:DescribeVpnGateways", | |
| "ec2:DescribeLaunchTemplates", | |
| "ec2:DescribeLaunchTemplateVersions", | |
| "ec2:AssociateAddress", | |
| "ec2:RunInstances", | |
| "ec2:CreateTags", | |
| "ec2:ConfirmProductInstance", | |
| "ec2:CopyImage", | |
| "ec2:CopySnapshot", | |
| "ec2:CreateImage", | |
| "ec2:CreateSnapshot", | |
| "ec2:CreateVolume", | |
| "ec2:DisassociateAddress", | |
| "ec2:ModifyImageAttribute", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:MonitorInstances", | |
| "ec2:RegisterImage", | |
| "ec2:UnassignPrivateIpAddresses", | |
| "ec2:ModifyNetworkInterfaceAttribute" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessELB", | |
| "Action": [ | |
| "elasticloadbalancing:DescribeInstanceHealth", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicies", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeRules", | |
| "elasticloadbalancing:DescribeSSLPolicies", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:DescribeTargetGroupAttributes", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:ModifyRule", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyListener" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessCloudWatch", | |
| "Action": [ | |
| "cloudwatch:DescribeAlarmHistory", | |
| "cloudwatch:DescribeAlarms", | |
| "cloudwatch:DescribeAlarmsForMetric", | |
| "cloudwatch:GetMetricStatistics", | |
| "cloudwatch:ListMetrics" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessIAM", | |
| "Action": [ | |
| "iam:ListInstanceProfiles", | |
| "iam:ListInstanceProfilesForRole", | |
| "iam:ListRoles", | |
| "iam:ListRolePolicies", | |
| "iam:GetInstanceProfile", | |
| "iam:GetRolePolicy", | |
| "iam:CreateServiceLinkedRole", | |
| "iam:PassRole" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessEks", | |
| "Action": [ | |
| "eks:ListClusters" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessECS", | |
| "Action": [ | |
| "ecs:ListAttributes", | |
| "ecs:ListServices", | |
| "ecs:ListAccountSettings", | |
| "ecs:ListTagsForResource", | |
| "ecs:ListTasks", | |
| "ecs:ListTaskDefinitionFamilies", | |
| "ecs:ListContainerInstances", | |
| "ecs:ListTaskDefinitions", | |
| "ecs:ListClusters" | |
| "ecs:DescribeTaskSets", | |
| "ecs:DescribeTaskDefinition", | |
| "ecs:DescribeClusters", | |
| "ecs:DescribeCapacityProviders", | |
| "ecs:DescribeServices", | |
| "ecs:DescribeContainerInstances", | |
| "ecs:DescribeTasks", | |
| "ecs:DeregisterContainerInstance", | |
| "ecs:UpdateContainerInstancesState", | |
| "ecs:RegisterTaskDefinition", | |
| "ecs:CreateService" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AccessAutoScalingGroups", | |
| "Action": [ | |
| "autoscaling:DescribeAccountLimits", | |
| "autoscaling:DescribeAdjustmentTypes", | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeAutoScalingInstances", | |
| "autoscaling:DescribeAutoScalingNotificationTypes", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeLifecycleHooks", | |
| "autoscaling:DescribeLifecycleHookTypes", | |
| "autoscaling:DescribeLoadBalancers", | |
| "autoscaling:DescribeLoadBalancerTargetGroups", | |
| "autoscaling:DescribeMetricCollectionTypes", | |
| "autoscaling:DescribeNotificationConfigurations", | |
| "autoscaling:DescribePolicies", | |
| "autoscaling:DescribeScalingActivities", | |
| "autoscaling:DescribeScalingProcessTypes", | |
| "autoscaling:DescribeScheduledActions", | |
| "autoscaling:DescribeTags", | |
| "autoscaling:DescribeTerminationPolicyTypes", | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowKMS", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "kms:Encrypt", | |
| "kms:Decrypt", | |
| "kms:ReEncryptFrom", | |
| "kms:ReEncryptTo", | |
| "kms:GenerateDataKey", | |
| "kms:GenerateDataKeyWithoutPlaintext", | |
| "kms:GenerateDataKeyPairWithoutPlaintext", | |
| "kms:GenerateDataKeyPair" | |
| "kms:DescribeKey" | |
| ], | |
| "Condition": { | |
| "ForAnyValue:StringLike": { | |
| "kms:ResourceAliases": "{{ key_alias }}" | |
| } | |
| }, | |
| "Resource": [ | |
| "arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowCrossAccountKMS", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "kms:CreateGrant", | |
| "kms:ListGrants", | |
| "kms:RevokeGrant" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "SavingsPlan", | |
| "Action": [ | |
| "savingsplans:DescribeSavingsPlanRates", | |
| "savingsplans:DescribeSavingsPlans", | |
| "savingsplans:DescribeSavingsPlansOfferingRates", | |
| "savingsplans:DescribeSavingsPlansOfferings", | |
| "savingsplans:ListTagsForResource" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "Lambda", | |
| "Action": [ | |
| "lambda:ListFunctions" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment