ansible/hacking/aws_config/testing_policies/ec2-policy.json

{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUnspecifiedEC2Resource",
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNatGateway",
                "ec2:Describe*",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ImportKeyPair",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:ReplaceRouteTableAssociation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSpecifiedEC2Resource",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateTags",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
            ]
        }
    ]
}
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use ``. This differs per service [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies 2017-07-14 06:50:55 +02:00			`{# Note that not all EC2 API Actions allow a specific resource #}`
			`{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Sid": "AllowUnspecifiedEC2Resource",`
			`"Effect": "Allow",`
			`"Action": [`
			`"ec2:AllocateAddress",`
			`"ec2:AssociateAddress",`
			`"ec2:AssociateRouteTable",`
			`"ec2:AttachInternetGateway",`
			`"ec2:CreateInternetGateway",`
			`"ec2:CreateKeyPair",`
			`"ec2:CreateNatGateway",`
			`"ec2:CreateRouteTable",`
			`"ec2:CreateSecurityGroup",`
			`"ec2:CreateSubnet",`
			`"ec2:CreateVpc",`
			`"ec2:DeleteKeyPair",`
			`"ec2:DeleteNatGateway",`
			`"ec2:Describe*",`
			`"ec2:DisassociateAddress",`
			`"ec2:DisassociateRouteTable",`
			`"ec2:ImportKeyPair",`
			`"ec2:ModifyVpcAttribute",`
			`"ec2:ReleaseAddress",`
			`"ec2:ReplaceRouteTableAssociation"`
			`],`
			`"Resource": "*"`
			`},`
			`{`
			`"Sid": "AllowSpecifiedEC2Resource",`
			`"Effect": "Allow",`
			`"Action": [`
			`"ec2:AuthorizeSecurityGroupIngress",`
			`"ec2:CreateTags",`
			`"ec2:DeleteRouteTable",`
			`"ec2:DeleteSecurityGroup",`
			`"ec2:RevokeSecurityGroupEgress",`
			`"ec2:RevokeSecurityGroupIngress",`
			`"ec2:RunInstances",`
			`"ec2:TerminateInstances"`
			`],`
			`"Resource": [`
			`"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"`
			`]`
			`}`
			`]`
			`}`