Custom sets of IAM permission to create Amazon EC2 resources and perform tasks using the Amazon API/CLI.
User Guide
IAM policies for Amazon EC2 (actions, ARN, condition keys) can be foundĀ on this page:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html
Custom IAM Policies
Backup Script
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:CreateTags",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}]
}
Automation of Jenkins Slaves
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AssociateAddress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*"
}]
}
Start/Stop Specific Instances
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:eu-west-1:12345678900000:instance/i-10fd3456",
"Resource": "arn:aws:ec2:eu-west-1:12345678900000:instance/i-12fd3458"
}]
}
Read Only EC2, Route53 and S3, plus GetConsoleOutput for Troubleshooting VM Startups
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsoleOutput",
"route53:Get*",
"route53:List*",
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}]
}
AMI Launch Script
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AllocateAddress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AssociateAddress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": ["*"]
}]
}