Skip to content

Instantly share code, notes, and snippets.

@stevenfeltner

stevenfeltner/Ocean_Policy.json

Created November 3, 2022 15:26
Show Gist options
  • Save stevenfeltner/fe2df68c3af00662206f38b31c35d8e5 to your computer and use it in GitHub Desktop.
Save stevenfeltner/fe2df68c3af00662206f38b31c35d8e5 to your computer and use it in GitHub Desktop.
Download ZIP
Ocean Restricted Palo Alto
Raw
Ocean_Policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:DeleteTags",
"ec2:UnassignPrivateIpAddresses",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst"
}
},
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ec2:RequestSpotInstances"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:{{ region }}:{{ account_id }}:spot-instances-request/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst"
}
}
},
{
"Action": [
"ec2:RequestSpotInstances"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:{{ region }}:{{ account_id }}:key-pair/*",
"arn:aws:ec2:{{ region }}::image/ami-*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:network-interface/*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:security-group/*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:subnet/*"
]
},
{
"Action": [
"ec2:CancelSpotInstanceRequests"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst"
}
}
},
{
"Action": [
"ec2:CreateSpotDatafeedSubscription",
"ec2:Describe*",
"ec2:ConfirmProductInstance",
"ec2:CreateTags",
"ec2:MonitorInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:{{ region }}:{{ account_id }}:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:{{ region }}:{{ account_id }}:key-pair/*",
"arn:aws:ec2:{{ region }}::image/ami-*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:network-interface/*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:security-group/*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:subnet/*",
"arn:aws:ec2:{{ region }}:{{ account_id }}:volume/*"
]
},
{
"Action": [
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetInstanceProfile",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::{{ account_id }}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
}
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::{{ account_id }}:role/{{ team_name }}-worker-role"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Condition": {
"ForAnyValue:StringLike": {
"kms:ResourceAliases": "{{ key_alias }}"
}
},
"Resource": [
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Condition": {
"ForAnyValue:StringLike": {
"kms:ResourceAliases": "{{ key_alias }}"
}
},
"Resource": [
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*"
]
},
{
"Action": [
"eks:ListClusters"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"savingsplans:Describe*",
"savingsplans:List*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"lambda:ListFunctions"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment