server - update aws machine prov policy for explicit subnets (#9496)

atulsingh0 · web-flow · commit 43236325ee0a · 2025-08-13T13:55:28.000-04:00
diff --git a/docs/server-admin/modules/ROOT/partials/installation/phase-3.adoc b/docs/server-admin/modules/ROOT/partials/installation/phase-3.adoc
@@ -699,11 +699,18 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
         "arn:aws:ec2:*:*:launch-template/*",
         "arn:aws:ec2:*:*:network-interface/*",
         "arn:aws:ec2:*:*:placement-group/*",
-        "arn:aws:ec2:*:*:subnet/*",
         "arn:aws:ec2:*:*:security-group/<SECURITY_GROUP_ID>",
         "arn:aws:ec2:*:*:volume/*"
       ]
     },
+    {
+      "Action": "ec2:RunInstances",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+      ]
+    },
     {
       "Action": "ec2:RunInstances",
       "Effect": "Allow",
@@ -729,7 +736,7 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
       "Resource": "arn:aws:ec2:*:*:*/*",
       "Condition": {
         "StringEquals": {
-          "ec2:CreateAction" : "RunInstances"
+          "ec2:CreateAction": "RunInstances"
         }
       }
     },
@@ -756,10 +763,13 @@ aws iam create-policy --policy-name circleci-vm --policy-document file://<POLICY
         "ec2:TerminateInstances"
       ],
       "Effect": "Allow",
-      "Resource": "arn:aws:ec2:*:*:subnet/*",
+      "Resource": "arn:aws:ec2:*:*:instance/*",
       "Condition": {
-        "StringEquals": {
-          "ec2:Vpc": "<VPC_ID>"
+        "StringLike": {
+          "ec2:Subnet": [
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+          ]
         }
       }
     }
@@ -831,11 +841,18 @@ Create a `policy.json` file with the following content. You should fill in the I
         "arn:aws:ec2:*:*:launch-template/*",
         "arn:aws:ec2:*:*:network-interface/*",
         "arn:aws:ec2:*:*:placement-group/*",
-        "arn:aws:ec2:*:*:subnet/*",
         "arn:aws:ec2:*:*:security-group/<SECURITY_GROUP_ID>",
         "arn:aws:ec2:*:*:volume/*"
       ]
     },
+    {
+      "Action": "ec2:RunInstances",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+        "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+      ]
+    },
     {
       "Action": "ec2:RunInstances",
       "Effect": "Allow",
@@ -888,10 +905,13 @@ Create a `policy.json` file with the following content. You should fill in the I
         "ec2:TerminateInstances"
       ],
       "Effect": "Allow",
-      "Resource": "arn:aws:ec2:*:*:subnet/*",
+      "Resource": "arn:aws:ec2:*:*:instance/*",
       "Condition": {
-        "StringEquals": {
-          "ec2:Vpc": "<VPC_ID>"
+        "StringLike": {
+          "ec2:Subnet": [
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_1>",
+            "arn:aws:ec2:*:*:subnet/<SUBNET_ID_2>"
+          ]
         }
       }
     }
