Created
January 22, 2024 14:10
-
-
Save rssnyder/8eed5a975c0eee82cd2b9a558159d14c to your computer and use it in GitHub Desktop.
Since the AWS granular permissions are extended, it needs to be split into two policies because of AWS size limitations.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": | |
| [ | |
| { | |
| "Sid": "VisualEditor0", | |
| "Effect": "Allow", | |
| "Action": | |
| [ | |
| "acm:ListCertificates", | |
| "autoscaling:AttachInstances", | |
| "autoscaling:AttachLoadBalancers", | |
| "autoscaling:AttachLoadBalancerTargetGroups", | |
| "autoscaling:CreateAutoScalingGroup", | |
| "autoscaling:CreateLaunchConfiguration", | |
| "autoscaling:CreateOrUpdateTags", | |
| "autoscaling:DeleteTags", | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeAutoScalingInstances", | |
| "autoscaling:DescribeInstanceRefreshes", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeLoadBalancers", | |
| "autoscaling:DescribeLoadBalancerTargetGroups", | |
| "autoscaling:DescribeTags", | |
| "autoscaling:DetachInstances", | |
| "autoscaling:DetachLoadBalancers", | |
| "autoscaling:DetachLoadBalancerTargetGroups", | |
| "autoscaling:PutScalingPolicy", | |
| "autoscaling:SetDesiredCapacity", | |
| "autoscaling:SetInstanceHealth", | |
| "autoscaling:TerminateInstanceInAutoScalingGroup", | |
| "autoscaling:UpdateAutoScalingGroup", | |
| "cloudwatch:GetMetricData", | |
| "cloudwatch:GetMetricStatistics", | |
| "cloudwatch:ListMetrics", | |
| "ec2:AcceptVpcPeeringConnection", | |
| "ec2:AllocateAddress", | |
| "ec2:AssignIpv6Addresses", | |
| "ec2:AssignPrivateIpAddresses", | |
| "ec2:AssociateAddress", | |
| "ec2:AssociateRouteTable", | |
| "ec2:AssociateSubnetCidrBlock", | |
| "ec2:AssociateVpcCidrBlock", | |
| "ec2:AttachInternetGateway", | |
| "ec2:AttachNetworkInterface", | |
| "ec2:AttachVolume", | |
| "ec2:AttachVpnGateway", | |
| "ec2:AuthorizeSecurityGroupEgress", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CancelExportTask", | |
| "ec2:CancelImportTask", | |
| "ec2:CancelSpotFleetRequests", | |
| "ec2:CancelSpotInstanceRequests", | |
| "ec2:CopyImage", | |
| "ec2:CopySnapshot", | |
| "ec2:CreateCustomerGateway", | |
| "ec2:CreateDefaultSubnet", | |
| "ec2:CreateDefaultVpc", | |
| "ec2:CreateFleet", | |
| "ec2:CreateImage", | |
| "ec2:CreateKeyPair", | |
| "ec2:CreateLaunchTemplate", | |
| "ec2:CreateLaunchTemplateVersion", | |
| "ec2:CreateNatGateway", | |
| "ec2:CreateNetworkAcl", | |
| "ec2:CreateNetworkAclEntry", | |
| "ec2:CreateNetworkInsightsPath", | |
| "ec2:CreateNetworkInterface", | |
| "ec2:CreatePlacementGroup", | |
| "ec2:CreatePublicIpv4Pool", | |
| "ec2:CreateRestoreImageTask", | |
| "ec2:CreateRoute", | |
| "ec2:CreateRouteTable", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateSnapshot", | |
| "ec2:CreateSnapshots", | |
| "ec2:CreateStoreImageTask", | |
| "ec2:CreateSubnet", | |
| "ec2:CreateSubnetCidrReservation", | |
| "ec2:CreateTags", | |
| "ec2:CreateVolume", | |
| "ec2:CreateVpc", | |
| "ec2:CreateVpcEndpoint", | |
| "ec2:CreateVpcPeeringConnection", | |
| "ec2:CreateVpnConnection", | |
| "ec2:CreateVpnConnectionRoute", | |
| "ec2:DeleteKeyPair", | |
| "ec2:DeleteLaunchTemplate", | |
| "ec2:DeleteLaunchTemplateVersions", | |
| "ec2:DeleteNetworkInterface", | |
| "ec2:DeletePlacementGroup", | |
| "ec2:DeleteRoute", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteSnapshot", | |
| "ec2:DeleteSubnet", | |
| "ec2:DeleteTags", | |
| "ec2:DeleteVolume", | |
| "ec2:DeregisterImage", | |
| "ec2:DescribeAccountAttributes", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAddressesAttribute", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeCoipPools", | |
| "ec2:DescribeEgressOnlyInternetGateways", | |
| "ec2:DescribeExportImageTasks", | |
| "ec2:DescribeExportTasks", | |
| "ec2:DescribeFastSnapshotRestores", | |
| "ec2:DescribeFleetHistory", | |
| "ec2:DescribeFleetInstances", | |
| "ec2:DescribeFleets", | |
| "ec2:DescribeFlowLogs", | |
| "ec2:DescribeImageAttribute", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeImportImageTasks", | |
| "ec2:DescribeImportSnapshotTasks", | |
| "ec2:DescribeInstanceAttribute", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInstanceStatus", | |
| "ec2:DescribeInstanceTypeOfferings", | |
| "ec2:DescribeInstanceTypes", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeIpv6Pools", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:DescribeLaunchTemplates", | |
| "ec2:DescribeLaunchTemplateVersions", | |
| "ec2:DescribeNatGateways", | |
| "ec2:DescribeNetworkAcls", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DescribePlacementGroups", | |
| "ec2:DescribePublicIpv4Pools", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeScheduledInstances", | |
| "ec2:DescribeSecurityGroupReferences", | |
| "ec2:DescribeSecurityGroupRules", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeSnapshotAttribute", | |
| "ec2:DescribeSnapshots", | |
| "ec2:DescribeSnapshotTierStatus", | |
| "ec2:DescribeSpotFleetInstances", | |
| "ec2:DescribeSpotFleetRequestHistory", | |
| "ec2:DescribeSpotFleetRequests", | |
| "ec2:DescribeSpotInstanceRequests", | |
| "ec2:DescribeSpotPriceHistory", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVolumeAttribute", | |
| "ec2:DescribeVolumes", | |
| "ec2:DescribeVolumesModifications", | |
| "ec2:DescribeVolumeStatus", | |
| "ec2:DescribeVpcAttribute", | |
| "ec2:DescribeVpcClassicLink", | |
| "ec2:DescribeVpcEndpointConnections", | |
| "ec2:DescribeVpcEndpoints", | |
| "ec2:DescribeVpcEndpointServices", | |
| "ec2:DescribeVpcPeeringConnections", | |
| "ec2:DescribeVpcs", | |
| "ec2:DetachNetworkInterface", | |
| "ec2:DetachVolume", | |
| "ec2:DisassociateAddress", | |
| "ec2:DisassociateSubnetCidrBlock", | |
| "ec2:EnableVolumeIO", | |
| "ec2:ExportImage", | |
| "ec2:GetCapacityReservationUsage", | |
| "ec2:GetInstanceTypesFromInstanceRequirements", | |
| "ec2:GetLaunchTemplateData", | |
| "ec2:GetSpotPlacementScores", | |
| "ec2:GetSubnetCidrReservations", | |
| "ec2:ImportImage", | |
| "ec2:ImportInstance", | |
| "ec2:ImportKeyPair", | |
| "ec2:ImportSnapshot", | |
| "ec2:ImportVolume", | |
| "ec2:ListImagesInRecycleBin", | |
| "ec2:ListSnapshotsInRecycleBin", | |
| "ec2:ModifyAddressAttribute", | |
| "ec2:ModifyAvailabilityZoneGroup", | |
| "ec2:ModifyFleet", | |
| "ec2:ModifyImageAttribute", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:ModifyInstancePlacement", | |
| "ec2:ModifyLaunchTemplate", | |
| "ec2:ModifyNetworkInterfaceAttribute", | |
| "ec2:ModifyPrivateDnsNameOptions", | |
| "ec2:ModifySecurityGroupRules", | |
| "ec2:ModifySnapshotTier", | |
| "ec2:ModifySpotFleetRequest", | |
| "ec2:ModifySubnetAttribute", | |
| "ec2:ModifyVolume", | |
| "ec2:ModifyVolumeAttribute", | |
| "ec2:ModifyVpcAttribute", | |
| "ec2:ModifyVpcEndpoint", | |
| "ec2:ModifyVpcEndpointServiceConfiguration", | |
| "ec2:ModifyVpcPeeringConnectionOptions", | |
| "ec2:ModifyVpcTenancy", | |
| "ec2:MonitorInstances", | |
| "ec2:RebootInstances", | |
| "ec2:RegisterImage", | |
| "ec2:RejectVpcPeeringConnection", | |
| "ec2:ReleaseAddress", | |
| "ec2:ReplaceRoute", | |
| "ec2:ReplaceRouteTableAssociation", | |
| "ec2:ReportInstanceStatus", | |
| "ec2:RequestSpotFleet", | |
| "ec2:RequestSpotInstances", | |
| "ec2:ResetAddressAttribute", | |
| "ec2:ResetImageAttribute", | |
| "ec2:ResetInstanceAttribute", | |
| "ec2:ResetNetworkInterfaceAttribute", | |
| "ec2:RevokeSecurityGroupEgress", | |
| "ec2:RevokeSecurityGroupIngress", | |
| "ec2:RunInstances", | |
| "ec2:RunScheduledInstances", | |
| "ec2:SendDiagnosticInterrupt", | |
| "ec2:SendSpotInstanceInterruptions", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:UnassignIpv6Addresses", | |
| "ec2:UnassignPrivateIpAddresses", | |
| "ec2:UnmonitorInstances", | |
| "ec2:UpdateSecurityGroupRuleDescriptionsEgress", | |
| "ec2:UpdateSecurityGroupRuleDescriptionsIngress", | |
| "ecs:DeleteAttributes", | |
| "ecs:DescribeCapacityProviders", | |
| "ecs:DescribeClusters", | |
| "ecs:DescribeContainerInstances", | |
| "ecs:DescribeServices", | |
| "ecs:DescribeTaskDefinition", | |
| "ecs:DescribeTasks", | |
| "ecs:DescribeTaskSets", | |
| "ecs:ListAccountSettings", | |
| "ecs:ListAttributes", | |
| "ecs:ListClusters", | |
| "ecs:ListContainerInstances", | |
| "ecs:ListServices", | |
| "ecs:ListTagsForResource", | |
| "ecs:ListTaskDefinitions", | |
| "ecs:ListTasks", | |
| "ecs:RunTask", | |
| "ecs:StartTask", | |
| "ecs:StopTask", | |
| "ecs:TagResource", | |
| "ecs:UntagResource", | |
| "ecs:UpdateService", | |
| "iam:AddRoleToInstanceProfile", | |
| "iam:CreateServiceLinkedRole", | |
| "iam:GetUser", | |
| "iam:ListInstanceProfiles", | |
| "iam:ListInstanceProfilesForRole", | |
| "iam:ListRoles", | |
| "iam:PassRole", | |
| "lambda:AddPermission", | |
| "lambda:CreateCodeSigningConfig", | |
| "lambda:CreateFunction", | |
| "lambda:CreateFunctionUrlConfig", | |
| "lambda:DeleteCodeSigningConfig", | |
| "lambda:DeleteFunction", | |
| "lambda:DeleteFunctionCodeSigningConfig", | |
| "lambda:DeleteFunctionConcurrency", | |
| "lambda:DeleteFunctionEventInvokeConfig", | |
| "lambda:DeleteFunctionUrlConfig", | |
| "lambda:DeleteProvisionedConcurrencyConfig", | |
| "lambda:GetCodeSigningConfig", | |
| "lambda:GetFunction", | |
| "lambda:GetFunctionCodeSigningConfig", | |
| "lambda:GetFunctionConcurrency", | |
| "lambda:GetFunctionConfiguration", | |
| "lambda:GetFunctionEventInvokeConfig", | |
| "lambda:GetFunctionUrlConfig", | |
| "lambda:GetLayerVersion", | |
| "lambda:GetLayerVersionPolicy", | |
| "lambda:GetPolicy", | |
| "lambda:GetProvisionedConcurrencyConfig", | |
| "lambda:InvokeAsync", | |
| "lambda:InvokeFunction", | |
| "lambda:InvokeFunctionUrl", | |
| "lambda:ListCodeSigningConfigs", | |
| "lambda:ListFunctionEventInvokeConfigs", | |
| "lambda:ListFunctions", | |
| "lambda:ListFunctionsByCodeSigningConfig", | |
| "lambda:ListFunctionUrlConfigs", | |
| "lambda:ListLayers", | |
| "lambda:ListLayerVersions", | |
| "lambda:ListProvisionedConcurrencyConfigs", | |
| "lambda:ListTags", | |
| "lambda:ListVersionsByFunction", | |
| "lambda:PublishLayerVersion", | |
| "lambda:PublishVersion", | |
| "lambda:PutFunctionCodeSigningConfig", | |
| "lambda:PutFunctionConcurrency", | |
| "lambda:PutFunctionEventInvokeConfig", | |
| "lambda:RemovePermission", | |
| "lambda:TagResource", | |
| "lambda:UntagResource", | |
| "lambda:UpdateCodeSigningConfig", | |
| "lambda:UpdateEventSourceMapping", | |
| "lambda:UpdateFunctionCode", | |
| "lambda:UpdateFunctionCodeSigningConfig", | |
| "lambda:UpdateFunctionConfiguration", | |
| "lambda:UpdateFunctionEventInvokeConfig", | |
| "lambda:UpdateFunctionUrlConfig", | |
| "rds:DescribeDBClusters", | |
| "rds:DescribeDBInstances", | |
| "rds:ListTagsForResource", | |
| "rds:ModifyDBInstance", | |
| "rds:StartDBCluster", | |
| "rds:StartDBInstance", | |
| "rds:StopDBCluster", | |
| "rds:StopDBInstance", | |
| "route53:ChangeResourceRecordSets", | |
| "route53:GetHealthCheck", | |
| "route53:GetHealthCheckStatus", | |
| "route53:GetHostedZone", | |
| "route53:ListHostedZones", | |
| "route53:ListHostedZonesByName", | |
| "route53:ListResourceRecordSets", | |
| "tag:GetResources" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": | |
| [ | |
| { | |
| "Sid": "VisualEditor0", | |
| "Effect": "Allow", | |
| "Action": | |
| [ | |
| "elasticloadbalancing:AddListenerCertificates", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | |
| "elasticloadbalancing:AttachLoadBalancerToSubnets", | |
| "elasticloadbalancing:ConfigureHealthCheck", | |
| "elasticloadbalancing:CreateListener", | |
| "elasticloadbalancing:CreateLoadBalancer", | |
| "elasticloadbalancing:CreateLoadBalancerListeners", | |
| "elasticloadbalancing:CreateLoadBalancerPolicy", | |
| "elasticloadbalancing:CreateRule", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:DeleteListener", | |
| "elasticloadbalancing:DeleteLoadBalancer", | |
| "elasticloadbalancing:DeleteLoadBalancerListeners", | |
| "elasticloadbalancing:DeleteRule", | |
| "elasticloadbalancing:DeleteTargetGroup", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:DescribeInstanceHealth", | |
| "elasticloadbalancing:DescribeListenerCertificates", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeRules", | |
| "elasticloadbalancing:DescribeSSLPolicies", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:DescribeTargetGroupAttributes", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:DetachLoadBalancerFromSubnets", | |
| "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | |
| "elasticloadbalancing:ModifyListener", | |
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | |
| "elasticloadbalancing:ModifyRule", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:RemoveListenerCertificates", | |
| "elasticloadbalancing:RemoveTags", | |
| "elasticloadbalancing:SetIpAddressType", | |
| "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", | |
| "elasticloadbalancing:SetRulePriorities", | |
| "elasticloadbalancing:SetSecurityGroups", | |
| "elasticloadbalancing:SetSubnets", | |
| "elasticloadbalancing:SetWebAcl" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment