ansible/hacking/aws_config/testing_policies/compute-policy.json

{# Not all Autoscaling API Actions allow specified resources #}
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeAutoscaling",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribePolicies"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAutoscaling",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:PutScalingPolicy",
                "autoscaling:DeletePolicy"
            ],
            "Resource": [
                "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
            ]
        },
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
        {
            "Sid": "AllowUnspecifiedEC2Resource",
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AttachVolume",
                "ec2:AttachVpnGateway",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDhcpOptions",
                "ec2:CreateImage",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSnapshot",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnGateway",
                "ec2:DeleteCustomerGateway",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVpc",
                "ec2:DeleteVpnConnection",
                "ec2:DeleteVpnGateway",
                "ec2:DeregisterImage",
                "ec2:DetachInternetGateway",
                "ec2:DetachVpnGateway",
                "ec2:Describe*",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:ImportKeyPair",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:RegisterImage",
                "ec2:ReleaseAddress",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:ReportInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSpecifiedEC2Resource",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
            ],
            "Resource": [
                "arn:aws:ec2:{{aws_region}}::image/*",
                "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
            ]
        },
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
        {
            "Sid": "AllowLoadBalancerOperations",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancer*",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
                "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": "*"
        },
{# Only certain lambda actions can be restricted to a specific resource #}
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
        {
            "Sid": "AllowApiGateway",
            "Effect": "Allow",
            "Action": [
                "apigateway:*"
            ],
            "Resource": [
                "arn:aws:apigateway:{{aws_region}}::/*"
            ]
        },
        {
            "Sid": "AllowGetUserForLambdaCreation",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
            ]
        },
        {
            "Sid": "AllowLambdaManagementWithoutResource",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping",
                "lambda:GetAccountSettings",
                "lambda:GetEventSourceMapping",
                "lambda:List*",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowLambdaManagementWithResource",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:CreateAlias",
                "lambda:CreateFunction",
                "lambda:DeleteAlias",
                "lambda:DeleteFunction",
                "lambda:GetAlias",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:GetPolicy",
                "lambda:InvokeFunction",
                "lambda:PublishVersion",
                "lambda:RemovePermission",
                "lambda:UpdateAlias",
                "lambda:UpdateEventSourceMapping",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
        },
        {
            "Sid": "AllowRoleManagement",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
                "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
                "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
                "arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
                "arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
                "arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
            ]
        },
        {
          "Sid": "AllowSESManagement",
          "Effect": "Allow",
          "Action": [
            "ses:VerifyEmailIdentity",
            "ses:DeleteIdentity",
            "ses:GetIdentityVerificationAttributes",
            "ses:GetIdentityNotificationAttributes",
            "ses:VerifyDomainIdentity",
            "ses:SetIdentityNotificationTopic",
            "ses:SetIdentityHeadersInNotificationsEnabled",
            "ses:SetIdentityFeedbackForwardingEnabled",
            "ses:GetIdentityPolicies",
            "ses:PutIdentityPolicy",
            "ses:DeleteIdentityPolicy",
            "ses:ListIdentityPolicies",
            "ses:SetIdentityFeedbackForwardingEnabled",
            "ses:ListReceiptRuleSets",
            "ses:DescribeReceiptRuleSet",
            "ses:DescribeActiveReceiptRuleSet",
            "ses:SetActiveReceiptRuleSet",
            "ses:CreateReceiptRuleSet",
            "ses:DeleteReceiptRuleSet"
          ],
          "Resource": [
            "*"
          ]
        },
        {
            "Sid": "AllowSNSManagement",
            "Effect": "Allow",
            "Action": [
              "SNS:CreateTopic",
              "SNS:DeleteTopic",
              "SNS:GetTopicAttributes",
              "SNS:ListSubscriptions",
              "SNS:ListSubscriptionsByTopic",
              "SNS:ListTopics",
              "SNS:SetTopicAttributes",
              "SNS:Subscribe",
              "SNS:Unsubscribe"
            ],
            "Resource": [
              "*"
            ]
        }
    ]
}