From 3582f26539cf2e884ef4375069e770df398a7a3f Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Thu, 21 Nov 2024 01:11:29 +0100
Subject: [PATCH] feat(examples/aws): policy to run ec2 instances

---
 .../aws/iam.policies/run-ec2-instances.json   | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 examples/aws/iam.policies/run-ec2-instances.json

diff --git a/examples/aws/iam.policies/run-ec2-instances.json b/examples/aws/iam.policies/run-ec2-instances.json
new file mode 100644
index 0000000..2059a93
--- /dev/null
+++ b/examples/aws/iam.policies/run-ec2-instances.json
@@ -0,0 +1,102 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowListingEC2Resources",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeImages",
+                "ec2:DescribeInstances",
+                "ec2:DescribeTags",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeInstanceStatus"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowCreatingEC2Instances",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetInstanceProfile",
+
+                "iam:PassRole",
+
+                "ec2:DescribeInstanceAttribute",
+                "ec2:RunInstances"
+            ],
+            "Resource": [
+                "arn:aws:iam::*:instance-profile/*",
+
+                "arn:aws:iam::*:role/*",
+
+                "arn:aws:ec2:*:*:instance/*",
+                "arn:aws:ec2:*:*:key-pair/*",
+                "arn:aws:ec2:*:*:network-interface/*",
+                "arn:aws:ec2:*:*:security-group/*",
+                "arn:aws:ec2:*:*:subnet/*",
+                "arn:aws:ec2:*:*:volume/*",
+                "arn:aws:ec2:*:*:image/*"
+            ]
+        },
+        {
+            "Sid": "AllowEncryptingEBSVolumes",
+            "Effect": "Allow",
+            "Action": [
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:CreateGrant",
+                "kms:Decrypt"
+            ],
+            "Resource": "arn:aws:kms:*:*:key/*"
+        },
+        {
+            "Sid": "AllowManagingEC2InstancesState",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:StartInstances",
+                "ec2:StopInstances",
+                "ec2:TerminateInstances"
+            ],
+            "Resource": [
+                "arn:aws:ec2:*:*:instance/*"
+            ]
+        },
+        {
+            "Sid": "AllowChangingEC2InstancesForRestoringDumpFiles",
+            "Effect": "Allow",
+            "Action": "ec2:CreateTags",
+            "Resource": [
+                "arn:aws:ec2:*:*:instance/*",
+                "arn:aws:ec2:*:*:volume/*"
+            ]
+        },
+        {
+            "Sid": "AllowConnectingToEC2InstancesViaSsm",
+            "Effect": "Allow",
+            "Action": [
+                "s3:DeleteObject",
+                "s3:GetBucketLocation",
+                "s3:GetObject",
+                "s3:PutObject",
+                "ssm:StartSession",
+                "ssm:TerminateSession"
+            ],
+            "Resource": [
+                "arn:aws:ec2:*:*:instance/*",
+                "arn:aws:s3:::ssm-logs",
+                "arn:aws:s3:::ssm-logs/*",
+                "arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell",
+                "arn:aws:ssm:*:*:session/Executor-*"
+            ],
+            "Condition": {
+                "StringEqualsIgnoreCase": {
+                    "ec2:ResourceTag/Application": "DB",
+                    "ec2:ResourceTag/Component": [
+                        "Operator",
+                        "InstanceManager"
+                    ]
+                }
+            }
+        }
+    ]
+}