Created
November 3, 2022 15:26
-
-
Save stevenfeltner/fe2df68c3af00662206f38b31c35d8e5 to your computer and use it in GitHub Desktop.
Ocean Restricted Palo Alto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": [ | |
"ec2:StopInstances", | |
"ec2:StartInstances", | |
"ec2:TerminateInstances", | |
"ec2:DeleteTags", | |
"ec2:UnassignPrivateIpAddresses", | |
"ec2:ModifyNetworkInterfaceAttribute", | |
"ec2:ModifyImageAttribute", | |
"ec2:ModifyInstanceAttribute", | |
"ec2:AssociateAddress" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Action": [ | |
"ec2:RequestSpotInstances" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:spot-instances-request/*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
} | |
}, | |
{ | |
"Action": [ | |
"ec2:RequestSpotInstances" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:key-pair/*", | |
"arn:aws:ec2:{{ region }}::image/ami-*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:network-interface/*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:security-group/*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:subnet/*" | |
] | |
}, | |
{ | |
"Action": [ | |
"ec2:CancelSpotInstanceRequests" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
} | |
}, | |
{ | |
"Action": [ | |
"ec2:CreateSpotDatafeedSubscription", | |
"ec2:Describe*", | |
"ec2:ConfirmProductInstance", | |
"ec2:CreateTags", | |
"ec2:MonitorInstances" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:RunInstances" | |
], | |
"Resource": [ | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:instance/*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/spotinst:aws:ec2:group:createdBy": "spotinst" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:RunInstances" | |
], | |
"Resource": [ | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:key-pair/*", | |
"arn:aws:ec2:{{ region }}::image/ami-*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:network-interface/*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:security-group/*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:subnet/*", | |
"arn:aws:ec2:{{ region }}:{{ account_id }}:volume/*" | |
] | |
}, | |
{ | |
"Action": [ | |
"iam:ListInstanceProfiles", | |
"iam:ListInstanceProfilesForRole", | |
"iam:ListRoles", | |
"iam:ListRolePolicies", | |
"iam:GetInstanceProfile", | |
"iam:GetRolePolicy" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": "iam:CreateServiceLinkedRole", | |
"Resource": "arn:aws:iam::{{ account_id }}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot", | |
"Condition": { | |
"StringLike": { | |
"iam:AWSServiceName": "spot.amazonaws.com" | |
} | |
} | |
}, | |
{ | |
"Action": [ | |
"iam:PassRole" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:iam::{{ account_id }}:role/{{ team_name }}-worker-role" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"kms:ResourceAliases": "{{ key_alias }}" | |
} | |
}, | |
"Resource": [ | |
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"kms:CreateGrant", | |
"kms:ListGrants", | |
"kms:RevokeGrant" | |
], | |
"Condition": { | |
"ForAnyValue:StringLike": { | |
"kms:ResourceAliases": "{{ key_alias }}" | |
} | |
}, | |
"Resource": [ | |
"arn:aws:kms:{{ region }}:{{ account_id }}:key/*" | |
] | |
}, | |
{ | |
"Action": [ | |
"eks:ListClusters" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Action": [ | |
"autoscaling:Describe*" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Action": [ | |
"savingsplans:Describe*", | |
"savingsplans:List*" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Action": [ | |
"lambda:ListFunctions" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment