{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*", "ec2:CreateSnapshot", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeregisterImage", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot", "ec2:ImportKeyPair", "ec2:DeleteKeyPair", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolumeAttribute", "ec2:RegisterImage", "elasticloadbalancing:DescribeLoadBalancer*", "iam:GetUser", "iam:ListInstanceProfiles", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSubnet", "ec2:CreateDhcpOptions", "ec2:DeleteVpc", "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:AssociateDhcpOptions", "ec2:CreateInternetGateway", "ec2:CreateSubnet", "ec2:CreateNetworkAclEntry", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:ReplaceNetworkAclAssociation", "ec2:CreateTags", "ec2:CreateRoute", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:ReleaseAddress", "ec2:DetachInternetGateway", "outposts:GetOutpostInstanceTypes" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]" }, { "Action": [ "ec2:RunInstances", "ec2:DeleteDhcpOptions", "ec2:DeleteNetworkAclEntry", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:[ACCOUNT_ID]:instance/*", "arn:aws:ec2:*:[ACCOUNT_ID]:key-pair/*", "arn:aws:ec2:*:[ACCOUNT_ID]:network-interface/*", "arn:aws:ec2:*:[ACCOUNT_ID]:placement-group/*", "arn:aws:ec2:*:[ACCOUNT_ID]:security-group/*", "arn:aws:ec2:*:[ACCOUNT_ID]:snapshot/*", "arn:aws:ec2:*:[ACCOUNT_ID]:subnet/*", "arn:aws:ec2:*:[ACCOUNT_ID]:volume/*", "arn:aws:ec2:*:[ACCOUNT_ID]:dhcp-options/*", "arn:aws:ec2:*:[ACCOUNT_ID]:network-acl/*", "arn:aws:ec2:*:[ACCOUNT_ID]:vpc/*" ], "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::network-interface/*", "arn:aws:ec2:*:[ACCOUNT_ID]:security-group/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:[ACCOUNT_ID]:dhcp-options/*", "arn:aws:ec2:*:[ACCOUNT_ID]:subnet/*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:[ACCOUNT_ID]:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:[ACCOUNT_ID]:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateVolume" } } }, { "Condition": { "StringLike": { "ec2:ResourceTag/Name": "CloudEndure*" } }, "Action": [ "ec2:AttachVolume", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:Delete*", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:*:[ACCOUNT_ID]:instance/*", "arn:aws:ec2:*:[ACCOUNT_ID]:volume/*", "arn:aws:ec2:*:[ACCOUNT_ID]:security-group/*", "arn:aws:ec2:*:[ACCOUNT_ID]:dhcp-options/*" ], "Effect": "Allow" }, { "Condition": { "StringLike": { "ec2:ResourceTag/CloudEndure creation time": "*" } }, "Action": [ "ec2:AttachVolume", "ec2:DetachVolume", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:DeleteVolume", "ec2:DeleteInternetGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteRoute", "ec2:Delete*", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:[ACCOUNT_ID]:dhcp-options/*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-east-1:[ACCOUNT_ID]:key/[KMS_KEY]" ] }, { "Effect": "Allow", "Action": [ "kms:ListKeys" ], "Resource": [ "*" ] } ] }