From 2313966b2c80cde156b4ac39b42d8cf47f09f015 Mon Sep 17 00:00:00 2001 From: Rennie deGraaf Date: Tue, 5 Mar 2024 11:00:57 -0800 Subject: [PATCH] AWS minimal permission policy: added it to version control. --- doc/aws-minimal-permission-policy.json | 166 +++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 doc/aws-minimal-permission-policy.json diff --git a/doc/aws-minimal-permission-policy.json b/doc/aws-minimal-permission-policy.json new file mode 100644 index 000000000..ff551fabc --- /dev/null +++ b/doc/aws-minimal-permission-policy.json @@ -0,0 +1,166 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "cloudformation:DescribeStacks", + "cloudformation:GetStackPolicy", + "cloudformation:GetTemplate", + "cloudformation:ListStacks", + "cloudtrail:DescribeTrails", + "cloudtrail:GetEventSelectors", + "cloudtrail:GetTrailStatus", + "cloudwatch:DescribeAlarms", + "cloudfront:ListDistributions", + "codebuild:BatchGetProjects", + "codebuild:ListProjects", + "cognito-identity:DescribeIdentityPool", + "cognito-identity:ListIdentityPools", + "cognito-idp:DescribeUserPool", + "cognito-idp:ListUserPools", + "config:DescribeConfigRules", + "config:DescribeConfigurationRecorderStatus", + "config:DescribeConfigurationRecorders", + "directconnect:DescribeConnections", + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeTable", + "dynamodb:ListBackups", + "dynamodb:ListTables", + "dynamodb:ListTagsOfResource", + "ec2:DescribeCustomerGateways", + "ec2:DescribeFlowLogs", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstances", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaceAttribute", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ec2:DescribeVpnConnections", + "ec2:DescribeVpnGateways", + "ec2:GetEbsDefaultKmsKeyId", + "ec2:GetEbsEncryptionByDefault", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:GetLifecyclePolicy", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecs:DescribeClusters", + "ecs:ListAccountSettings", + "ecs:ListClusters", + "eks:DescribeCluster", + "eks:ListClusters", + "elasticache:DescribeCacheClusters", + "elasticache:DescribeCacheParameterGroups", + "elasticache:DescribeCacheSecurityGroups", + "elasticache:DescribeCacheSubnetGroups", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeMountTargetSecurityGroups", + "elasticfilesystem:DescribeMountTargets", + "elasticfilesystem:DescribeTags", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeTags", + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:ListClusters", + "guardduty:GetDetector", + "guardduty:ListDetectors", + "iam:GenerateCredentialReport", + "iam:GetAccountPasswordPolicy", + "iam:GetCredentialReport", + "iam:GetGroup", + "iam:GetGroupPolicy", + "iam:GetLoginProfile", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:GetUserPolicy", + "iam:ListAccessKeys", + "iam:ListAttachedRolePolicies", + "iam:ListEntitiesForPolicy", + "iam:ListGroupPolicies", + "iam:ListGroups", + "iam:ListGroupsForUser", + "iam:ListInstanceProfilesForRole", + "iam:ListMFADevices", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListRoleTags", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUserTags", + "iam:ListUsers", + "iam:ListVirtualMFADevices", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListGrants", + "kms:ListKeys", + "lambda:GetFunctionConfiguration", + "lambda:GetPolicy", + "lambda:ListFunctions", + "logs:DescribeMetricFilters", + "rds:DescribeDBClusterSnapshotAttributes", + "rds:DescribeDBClusterSnapshots", + "rds:DescribeDBClusters", + "rds:DescribeDBInstances", + "rds:DescribeDBParameterGroups", + "rds:DescribeDBParameters", + "rds:DescribeDBSecurityGroups", + "rds:DescribeDBSnapshotAttributes", + "rds:DescribeDBSnapshots", + "rds:DescribeDBSubnetGroups", + "rds:ListTagsForResource", + "redshift:DescribeClusterParameterGroups", + "redshift:DescribeClusterParameters", + "redshift:DescribeClusterSecurityGroups", + "redshift:DescribeClusters", + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53domains:ListDomains", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketPolicy", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetBucketPublicAccessBlock", + "s3:ListAllMyBuckets", + "secretsmanager:ListSecrets", + "secretsmanager:DescribeSecret", + "secretsmanager:GetResourcePolicy", + "ses:GetIdentityDkimAttributes", + "ses:GetIdentityPolicies", + "ses:ListIdentities", + "ses:ListIdentityPolicies", + "ssm:DescribeParameters", + "ssm:GetParameters", + "sns:GetTopicAttributes", + "sns:ListSubscriptions", + "sns:ListTopics", + "sqs:GetQueueAttributes", + "sqs:ListQueues" + ], + "Resource": "*" + } + ] +}