mirror of
https://gitea.com/mcereda/oam.git
synced 2026-02-09 05:44:23 +00:00
feat(examples/aws): policy to run ec2 instances
This commit is contained in:
Michele Cereda
102
examples/aws/iam.policies/run-ec2-instances.json
Normal file
102
examples/aws/iam.policies/run-ec2-instances.json
Normal file
@@ -0,0 +1,102 @@
|
|||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "AllowListingEC2Resources",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"ec2:DescribeImages",
|
||||||
|
"ec2:DescribeInstances",
|
||||||
|
"ec2:DescribeTags",
|
||||||
|
"ec2:DescribeSubnets",
|
||||||
|
"ec2:DescribeSecurityGroups",
|
||||||
|
"ec2:DescribeInstanceStatus"
|
||||||
|
],
|
||||||
|
"Resource": "*"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowCreatingEC2Instances",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"iam:GetInstanceProfile",
|
||||||
|
|
||||||
|
"iam:PassRole",
|
||||||
|
|
||||||
|
"ec2:DescribeInstanceAttribute",
|
||||||
|
"ec2:RunInstances"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:iam::*:instance-profile/*",
|
||||||
|
|
||||||
|
"arn:aws:iam::*:role/*",
|
||||||
|
|
||||||
|
"arn:aws:ec2:*:*:instance/*",
|
||||||
|
"arn:aws:ec2:*:*:key-pair/*",
|
||||||
|
"arn:aws:ec2:*:*:network-interface/*",
|
||||||
|
"arn:aws:ec2:*:*:security-group/*",
|
||||||
|
"arn:aws:ec2:*:*:subnet/*",
|
||||||
|
"arn:aws:ec2:*:*:volume/*",
|
||||||
|
"arn:aws:ec2:*:*:image/*"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowEncryptingEBSVolumes",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"kms:GenerateDataKeyWithoutPlaintext",
|
||||||
|
"kms:CreateGrant",
|
||||||
|
"kms:Decrypt"
|
||||||
|
],
|
||||||
|
"Resource": "arn:aws:kms:*:*:key/*"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowManagingEC2InstancesState",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"ec2:StartInstances",
|
||||||
|
"ec2:StopInstances",
|
||||||
|
"ec2:TerminateInstances"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:ec2:*:*:instance/*"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowChangingEC2InstancesForRestoringDumpFiles",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": "ec2:CreateTags",
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:ec2:*:*:instance/*",
|
||||||
|
"arn:aws:ec2:*:*:volume/*"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowConnectingToEC2InstancesViaSsm",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"s3:DeleteObject",
|
||||||
|
"s3:GetBucketLocation",
|
||||||
|
"s3:GetObject",
|
||||||
|
"s3:PutObject",
|
||||||
|
"ssm:StartSession",
|
||||||
|
"ssm:TerminateSession"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:ec2:*:*:instance/*",
|
||||||
|
"arn:aws:s3:::ssm-logs",
|
||||||
|
"arn:aws:s3:::ssm-logs/*",
|
||||||
|
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell",
|
||||||
|
"arn:aws:ssm:*:*:session/Executor-*"
|
||||||
|
],
|
||||||
|
"Condition": {
|
||||||
|
"StringEqualsIgnoreCase": {
|
||||||
|
"ec2:ResourceTag/Application": "DB",
|
||||||
|
"ec2:ResourceTag/Component": [
|
||||||
|
"Operator",
|
||||||
|
"InstanceManager"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user