server - update aws machine prov policy for explicit subnets (#9495)

atulsingh0 · web-flow · commit 38f12f05aa60 · 2025-08-13T13:55:18.000-04:00
diff --git a/docs/server-admin/modules/ROOT/partials/installation/phase-3.adoc b/docs/server-admin/modules/ROOT/partials/installation/phase-3.adoc
@@ -726,11 +726,18 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
         "arn:aws:ec2:*:*:launch-template/*",
         "arn:aws:ec2:*:*:network-interface/*",
         "arn:aws:ec2:*:*:placement-group/*",
-        "arn:aws:ec2:*:*:subnet/*",
         "arn:aws:ec2:*:*:security-group/<SECURITY_GROUP_ID>",
         "arn:aws:ec2:*:*:volume/*"
       ]
     },
+    {
+      "Action": "ec2:RunInstances",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+      ]
+    },
     {
       "Action": "ec2:RunInstances",
       "Effect": "Allow",
@@ -756,7 +763,7 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
       "Resource": "arn:aws:ec2:*:*:*/*",
       "Condition": {
         "StringEquals": {
-          "ec2:CreateAction" : "RunInstances"
+          "ec2:CreateAction": "RunInstances"
         }
       }
     },
@@ -783,10 +790,13 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
         "ec2:TerminateInstances"
       ],
       "Effect": "Allow",
-      "Resource": "arn:aws:ec2:*:*:subnet/*",
+      "Resource": "arn:aws:ec2:*:*:instance/*",
       "Condition": {
-        "StringEquals": {
-          "ec2:Vpc": "<VPC_ID>"
+        "StringLike": {
+          "ec2:Subnet": [
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+          ]
         }
       }
     }
@@ -858,11 +868,18 @@ Create a `policy.json` file with the following content. You should fill in the I
         "arn:aws:ec2:*:*:launch-template/*",
         "arn:aws:ec2:*:*:network-interface/*",
         "arn:aws:ec2:*:*:placement-group/*",
-        "arn:aws:ec2:*:*:subnet/*",
         "arn:aws:ec2:*:*:security-group/<SECURITY_GROUP_ID>"
         "arn:aws:ec2:*:*:volume/*"
       ]
     },
+    {
+      "Action": "ec2:RunInstances",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+      ]
+    },
     {
       "Action": "ec2:RunInstances",
       "Effect": "Allow",
@@ -915,10 +932,13 @@ Create a `policy.json` file with the following content. You should fill in the I
         "ec2:TerminateInstances"
       ],
       "Effect": "Allow",
-      "Resource": "arn:aws:ec2:*:*:subnet/*",
+      "Resource": "arn:aws:ec2:*:*:instance/*",
       "Condition": {
-        "StringEquals": {
-          "ec2:Vpc": "<VPC_ID>"
+        "StringLike": {
+          "ec2:Subnet": [
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+          ]
         }
       }
     }
