Custom IAM Policies for AWS

Custom sets of IAM permission to create Amazon EC2 resources and perform tasks using the Amazon API/CLI.

User Guide

IAM policies for Amazon EC2 (actions, ARN, condition keys) can be foundĀ here.

Custom IAM Policies

Backup Script

{ 
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "ec2:Describe*",
       "ec2:CreateSnapshot",
       "ec2:DeleteSnapshot",
       "ec2:CreateTags",
       "ec2:DescribeSnapshots"
     ],
     "Resource": "*"
   }]
}

Automation of Jenkins Slaves

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "ec2:Describe*",
       "ec2:AssociateAddress",
       "ec2:StartInstances",
       "ec2:StopInstances"
     ],
     "Resource": "*"
   }]
}

Start/Stop Specific Instances

{
 "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Action": [
       "ec2:StopInstances", 
       "ec2:StartInstances"
     ],
     "Resource": "arn:aws:ec2:eu-west-1:12345678900000:instance/i-10fd3456",
     "Resource": "arn:aws:ec2:eu-west-1:12345678900000:instance/i-12fd3458"
   }]
}

Read Only EC2, Route53 and S3, plus GetConsoleOutput for Troubleshooting VM Startups

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "ec2:Describe*",
       "ec2:GetConsoleOutput",
       "route53:Get*",
       "route53:List*",
       "s3:Get*",
       "s3:List*"
     ],
     "Resource": "*"
   }]
}

AMI Launch Script

{
 "Version": "2012-10-17",
  "Statement": [
    { 
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:AllocateAddress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AssociateAddress",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:RunInstances"
      ],
      "Resource": ["*"]
    }]
}

Leave a Reply

Your email address will not be published. Required fields are marked *