{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeReadOnlyEc2Resources",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeRegions",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRouteTables",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeNetworkAcls"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchReadOnly",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IamUserOperations",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "RolePolicyUserReadActions",
            "Action": [
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListUsers",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:SimulatePrincipalPolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "PassRlClusterNodeRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
        },
        {
            "Sid": "CreateEc2ResourcesWithoutTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:ImportKeyPair",
                "ec2:CreateKeyPair",
                "ec2:CreateVpc",
                "ec2:CreateSecurityGroup",
                "ec2:CreateInternetGateway",
                "ec2:CreateRouteTable",
                "ec2:CreateSubnet",
                "ec2:CreateSnapshot",
                "ec2:CreateTransitGateway",
                "ec2:AssociateVpcCidrBlock",
                "ec2:CreateTransitGatewayVpcAttachment",
                "ec2:AttachInternetGateway",
                "ec2:ReplaceRoute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ForceUnderlyingResourcesToHaveIdentifierTags",
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateKeyPair"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:keypair/*"
            ],
            "Condition": {
                "Null": {
                    "aws:RequestTag/RedisLabsIdentifier": "true"
                }
            }
        },
        {
            "Sid": "AllowVpcPeeringManagement",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcPeeringConnection",
                "ec2:AcceptVpcPeeringConnection"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowVpcPeeringDeletion",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteVpcPeeringConnection"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "CreateEc2Resources",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:CreateRoute",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "ModifyEc2Resources",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:AssociateRouteTable",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "DeleteEc2Resources",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:DeleteVolume",
                "ec2:DeleteSnapshot",
                "ec2:DetachVolume",
                "ec2:DeleteKeyPair",
                "ec2:DeleteTags",
                "ec2:DeleteSubnet",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteRouteTable",
                "ec2:DeleteRoute",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteVpc"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "DeleteEc2ResourcesWithoutTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RejectVpcPeeringConnection",
                "ec2:DeleteTransitGatewayVpcAttachment",
                "ec2:DeleteTransitGateway",
                "ec2:DetachInternetGateway"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "transitgateway.amazonaws.com"
                }
            }
        },
        {
            "Sid": "RolePolicyForTransitGateway",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*"
        },
        {
            "Sid": "AllowEncryptedVolumeCreation",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAttachDetachOfEncryptedVolumes",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}