{# Not all Autoscaling API Actions allow specified resources #} {# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} { "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeAutoscaling", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribePolicies" ], "Resource": "*" }, { "Sid": "AllowAutoscaling", "Effect": "Allow", "Action": [ "autoscaling:*LaunchConfiguration", "autoscaling:*AutoScalingGroup", "autoscaling:*MetricsCollection", "autoscaling:PutScalingPolicy", "autoscaling:DeletePolicy" ], "Resource": [ "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" ] }, {# Note that not all EC2 API Actions allow a specific resource #} {# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} { "Sid": "AllowUnspecifiedEC2Resource", "Effect": "Allow", "Action": [ "ec2:*LaunchTemplate", "ec2:*LaunchTemplateVersion", "ec2:*LaunchTemplateVersions", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AssociateVpcCidrBlock", "ec2:AssociateSubnetCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AttachVpnGateway", "ec2:CreateCustomerGateway", "ec2:CreateDhcpOptions", "ec2:CreateImage", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:CreateVpnConnection", "ec2:CreateVpnGateway", "ec2:DeleteCustomerGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DeleteVpnConnection", "ec2:DeleteVpnGateway", "ec2:DeregisterImage", "ec2:DetachInternetGateway", "ec2:DetachVpnGateway", "ec2:Describe*", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:DisassociateSubnetCidrBlock", "ec2:ImportKeyPair", "ec2:ModifyImageAttribute", "ec2:ModifyInstanceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RegisterImage", "ec2:ReleaseAddress", "ec2:ReplaceRouteTableAssociation", "ec2:ReplaceIamInstanceProfileAssociation", "ec2:ReportInstanceStatus" ], "Resource": "*" }, { "Sid": "AllowSpecifiedEC2Resource", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:{{aws_region}}::image/*", "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" ] }, {# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} {# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} {# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} { "Sid": "AllowLoadBalancerOperations", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancer*", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyRule", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RemoveTags" ], "Resource": "*" }, {# Only certain lambda actions can be restricted to a specific resource #} {# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} { "Sid": "AllowApiGateway", "Effect": "Allow", "Action": [ "apigateway:*" ], "Resource": [ "arn:aws:apigateway:{{aws_region}}::/*" ] }, { "Sid": "AllowGetUserForLambdaCreation", "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" ] }, { "Sid": "AllowLambdaManagementWithoutResource", "Effect": "Allow", "Action": [ "lambda:CreateEventSourceMapping", "lambda:GetAccountSettings", "lambda:GetEventSourceMapping", "lambda:List*", "lambda:TagResource", "lambda:UntagResource" ], "Resource": "*" }, { "Sid": "AllowLambdaManagementWithResource", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateAlias", "lambda:CreateFunction", "lambda:DeleteAlias", "lambda:DeleteFunction", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:GetPolicy", "lambda:InvokeFunction", "lambda:PublishVersion", "lambda:RemovePermission", "lambda:UpdateAlias", "lambda:UpdateEventSourceMapping", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration" ], "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" }, { "Sid": "AllowRoleManagement", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role", "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole", "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole", "arn:aws:iam::{{aws_account}}:role/ecsServiceRole", "arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role", "arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole" ] }, { "Sid": "AllowSESManagement", "Effect": "Allow", "Action": [ "ses:VerifyEmailIdentity", "ses:DeleteIdentity", "ses:GetIdentityVerificationAttributes", "ses:GetIdentityNotificationAttributes", "ses:VerifyDomainIdentity", "ses:SetIdentityNotificationTopic", "ses:SetIdentityHeadersInNotificationsEnabled", "ses:SetIdentityFeedbackForwardingEnabled", "ses:GetIdentityPolicies", "ses:PutIdentityPolicy", "ses:DeleteIdentityPolicy", "ses:ListIdentityPolicies", "ses:SetIdentityFeedbackForwardingEnabled", "ses:ListReceiptRuleSets", "ses:DescribeReceiptRuleSet", "ses:DescribeActiveReceiptRuleSet", "ses:SetActiveReceiptRuleSet", "ses:CreateReceiptRuleSet", "ses:DeleteReceiptRuleSet" ], "Resource": [ "*" ] }, { "Sid": "AllowSNSManagement", "Effect": "Allow", "Action": [ "SNS:CreateTopic", "SNS:DeleteTopic", "SNS:GetTopicAttributes", "SNS:ListSubscriptions", "SNS:ListSubscriptionsByTopic", "SNS:ListTopics", "SNS:SetTopicAttributes", "SNS:Subscribe", "SNS:Unsubscribe" ], "Resource": [ "*" ] } ] }