Skip to content

Commit 01b2722

Browse files
airadierairadier
authored
Add AWS Policy to allow deployment and removal of CFTs (#47)
1 parent 7f6d026 commit 01b2722

File tree

1 file changed

+272
-0
lines changed

1 file changed

+272
-0
lines changed

cloudvision-deployer-policy.json

Lines changed: 272 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,272 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "Vpc",
6+
"Effect": "Allow",
7+
"Action": [
8+
"ec2:AllocateAddress",
9+
"ec2:AssociateRouteTable",
10+
"ec2:AttachInternetGateway",
11+
"ec2:AuthorizeSecurityGroupIngress",
12+
"ec2:CreateInternetGateway",
13+
"ec2:CreateNatGateway",
14+
"ec2:CreateNetworkInterface",
15+
"ec2:CreateRoute",
16+
"ec2:CreateRouteTable",
17+
"ec2:CreateSecurityGroup",
18+
"ec2:CreateSubnet",
19+
"ec2:CreateTags",
20+
"ec2:CreateVpc",
21+
"ec2:ModifyVpcAttribute",
22+
"ec2:DeleteSubnet",
23+
"ec2:DeleteRouteTable",
24+
"ec2:DeleteInternetGateway",
25+
"ec2:DeleteNetworkInterface",
26+
"ec2:DeleteNatGateway",
27+
"ec2:DeleteRoute",
28+
"ec2:DeleteSecurityGroup",
29+
"ec2:DeleteVpc",
30+
"ec2:DetachInternetGateway",
31+
"ec2:DisassociateAddress",
32+
"ec2:DisassociateRouteTable",
33+
"ec2:ReleaseAddress"
34+
],
35+
"Resource": [
36+
"arn:aws:ec2:*:845151661675:vpc-peering-connection/*",
37+
"arn:aws:ec2:*:845151661675:network-interface/*",
38+
"arn:aws:ec2:*:845151661675:ipv6pool-ec2/*",
39+
"arn:aws:ec2:*:845151661675:vpc-endpoint/*",
40+
"arn:aws:ec2:*:845151661675:instance/*",
41+
"arn:aws:ec2:*:845151661675:vpc/*",
42+
"arn:aws:ec2:*:845151661675:vpn-gateway/*",
43+
"arn:aws:ec2:*:845151661675:ipv4pool-ec2/*",
44+
"arn:aws:ec2:*:845151661675:local-gateway/*",
45+
"arn:aws:ec2:*:845151661675:carrier-gateway/*",
46+
"arn:aws:ec2:*:845151661675:route-table/*",
47+
"arn:aws:ec2:*:845151661675:natgateway/*",
48+
"arn:aws:ec2:*:845151661675:prefix-list/*",
49+
"arn:aws:ec2:*:845151661675:security-group/*",
50+
"arn:aws:ec2:*:845151661675:internet-gateway/*",
51+
"arn:aws:ec2:*:845151661675:subnet/*",
52+
"arn:aws:ec2:*:845151661675:egress-only-internet-gateway/*",
53+
"arn:aws:ec2:*:845151661675:transit-gateway/*",
54+
"arn:aws:ec2:*:845151661675:elastic-ip/*"
55+
]
56+
},
57+
{
58+
"Sid": "VpcDescribe",
59+
"Effect": "Allow",
60+
"Action": [
61+
"ec2:DescribeAccountAttributes",
62+
"ec2:DescribeAddresses",
63+
"ec2:DescribeAvailabilityZones",
64+
"ec2:DescribeInternetGateways",
65+
"ec2:DescribeNatGateways",
66+
"ec2:DescribeNetworkInterfaces",
67+
"ec2:DescribeRouteTables",
68+
"ec2:DescribeSecurityGroups",
69+
"ec2:DescribeSubnets",
70+
"ec2:DescribeVpcs"
71+
],
72+
"Resource": "*"
73+
},
74+
{
75+
"Sid": "CloudTrail",
76+
"Effect": "Allow",
77+
"Action": [
78+
"cloudtrail:CreateTrail",
79+
"cloudtrail:StartLogging",
80+
"cloudtrail:DeleteTrail"
81+
],
82+
"Resource": [
83+
"arn:aws:cloudtrail:*:845151661675:trail/*"
84+
]
85+
},
86+
{
87+
"Sid": "CloudTrailDescribe",
88+
"Effect": "Allow",
89+
"Action": [
90+
"cloudtrail:DescribeTrails"
91+
],
92+
"Resource": "*"
93+
},
94+
{
95+
"Sid": "KMSCreate",
96+
"Effect": "Allow",
97+
"Action": [
98+
"kms:CreateKey"
99+
],
100+
"Resource": "*"
101+
},
102+
{
103+
"Sid": "KMS",
104+
"Effect": "Allow",
105+
"Action": [
106+
"kms:CreateAlias",
107+
"kms:DescribeKey",
108+
"kms:PutKeyPolicy",
109+
"kms:DeleteAlias",
110+
"kms:ScheduleKeyDeletion"
111+
],
112+
"Resource": [
113+
"arn:aws:kms:*:845151661675:alias/*",
114+
"arn:aws:kms:*:845151661675:key/*"
115+
]
116+
},
117+
{
118+
"Sid": "IAM",
119+
"Effect": "Allow",
120+
"Action": [
121+
"iam:CreateRole",
122+
"iam:GetRole",
123+
"iam:GetRolePolicy",
124+
"iam:PassRole",
125+
"iam:PutRolePolicy",
126+
"iam:UpdateAssumeRolePolicy",
127+
"iam:DeleteRole",
128+
"iam:DeleteRolePolicy"
129+
],
130+
"Resource": [
131+
"arn:aws:iam::845151661675:role/*"
132+
]
133+
},
134+
{
135+
"Sid": "S3",
136+
"Effect": "Allow",
137+
"Action": [
138+
"s3:CreateBucket",
139+
"s3:GetBucketPolicy",
140+
"s3:GetObject",
141+
"s3:PutBucketPolicy",
142+
"s3:PutBucketVersioning",
143+
"s3:PutLifecycleConfiguration",
144+
"s3:PutObject",
145+
"s3:DeleteBucket",
146+
"s3:DeleteBucketPolicy"
147+
],
148+
"Resource": "*"
149+
},
150+
{
151+
"Sid": "SSM",
152+
"Effect": "Allow",
153+
"Action": [
154+
"ssm:AddTagsToResource",
155+
"ssm:GetParameter",
156+
"ssm:GetParameters",
157+
"ssm:PutParameter",
158+
"ssm:DeleteParameter",
159+
"ssm:RemoveTagsFromResource"
160+
],
161+
"Resource": "arn:aws:ssm:*:845151661675:parameter/*"
162+
},
163+
{
164+
"Sid": "SSMDescribe",
165+
"Effect": "Allow",
166+
"Action": [
167+
"ssm:DescribeParameters"
168+
],
169+
"Resource": "*"
170+
},
171+
{
172+
"Sid": "ECS",
173+
"Effect": "Allow",
174+
"Action": [
175+
"ecs:CreateService",
176+
"ecs:DescribeClusters",
177+
"ecs:DescribeServices",
178+
"ecs:UpdateService",
179+
"ecs:DeleteCluster",
180+
"ecs:DeleteService"
181+
182+
],
183+
"Resource": [
184+
"arn:aws:ecs:*:845151661675:service/*",
185+
"arn:aws:ecs:*:845151661675:cluster/*"
186+
]
187+
},
188+
{
189+
"Sid": "ECSUnscoped",
190+
"Effect": "Allow",
191+
"Action": [
192+
"ecs:CreateCluster",
193+
"ecs:DescribeTaskDefinition",
194+
"ecs:RegisterTaskDefinition",
195+
"ecs:DeregisterTaskDefinition"
196+
],
197+
"Resource": "*"
198+
},
199+
{
200+
"Sid": "Cloudwatch",
201+
"Effect": "Allow",
202+
"Action": [
203+
"logs:CreateLogGroup",
204+
"logs:CreateLogStream",
205+
"logs:DescribeLogGroups",
206+
"logs:DescribeLogStreams",
207+
"logs:PutRetentionPolicy",
208+
"logs:DeleteLogGroup",
209+
"logs:DeleteLogStream",
210+
"logs:DeleteRetentionPolicy"
211+
],
212+
"Resource": "*"
213+
},
214+
{
215+
"Sid": "SQS",
216+
"Effect": "Allow",
217+
"Action": [
218+
"sqs:AddPermission",
219+
"sqs:CreateQueue",
220+
"sqs:GetQueueAttributes",
221+
"sqs:SetQueueAttributes",
222+
"sqs:DeleteQueue",
223+
"sqs:RemovePermission"
224+
],
225+
"Resource": [
226+
"arn:aws:sqs:*:845151661675:*"
227+
]
228+
},
229+
230+
{
231+
"Sid": "SQSList",
232+
"Effect": "Allow",
233+
"Action": [
234+
"sqs:ListQueues"
235+
],
236+
"Resource": "*"
237+
},
238+
{
239+
"Sid": "SNS",
240+
"Effect": "Allow",
241+
"Action": [
242+
"sns:CreateTopic",
243+
"sns:GetTopicAttributes",
244+
"sns:SetTopicAttributes",
245+
"sns:Subscribe",
246+
"sns:DeleteTopic"
247+
],
248+
"Resource": [
249+
"arn:aws:sns:*:845151661675:*"
250+
]
251+
},
252+
{
253+
"Sid": "SNSUnsubscribe",
254+
"Effect": "Allow",
255+
"Action": [
256+
"sns:Unsubscribe"
257+
],
258+
"Resource": "*"
259+
},
260+
{
261+
"Sid": "CodeBuild",
262+
"Effect": "Allow",
263+
"Action": [
264+
"codebuild:CreateProject",
265+
"codebuild:DeleteProject"
266+
],
267+
"Resource": [
268+
"arn:aws:codebuild:*:845151661675:project/*"
269+
]
270+
}
271+
]
272+
}

0 commit comments

Comments
 (0)