{ "Version": "2012-10-17", "Statement": [ { "Sid": "BaselinePolicy", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:ReplaceRouteTableAssociation", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:CopyImage", "ec2:AttachInternetGateway", "ec2:DescribeSnapshots", "ec2:ReplaceRoute", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:AssociateRouteTable", "ec2:DeleteRouteTable", "ec2:DescribeInternetGateways", "ec2:DeleteVolume", "ec2:StartInstances", "ec2:RevokeSecurityGroupEgress", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:DescribeVolumes", "ec2:DeleteInternetGateway", "ec2:UnassignPrivateIpAddresses", "ec2:DescribeKeyPairs", "ec2:DescribeRouteTables", "ec2:DetachVolume", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:CreateTags", "ec2:RegisterImage", "ec2:CreateRouteTable", "ec2:RunInstances", "ec2:DetachInternetGateway", "ec2:StopInstances", "ec2:AssignPrivateIpAddresses", "ec2:DisassociateRouteTable", "ec2:CreateVolume", "ec2:RevokeSecurityGroupIngress", "ec2:CancelSpotInstanceRequests", "ec2:AssociateSubnetCidrBlock", "ec2:DeleteNatGateway", "ec2:DeleteVpc", "ec2:AssociateAddress", "ec2:CreateSubnet", "ec2:DescribeSubnets", "ec2:DeleteKeyPair", "ec2:AttachVolume", "ec2:DisassociateAddress", "ec2:DeregisterImage", "ec2:DescribeAddresses", "ec2:DeleteSnapshot", "ec2:RequestSpotInstances", "ec2:CreateNatGateway", "ec2:DescribeInstanceAttribute", "ec2:DescribeRegions", "ec2:CreateVpc", "ec2:DescribeSpotInstanceRequests", "ec2:ModifySubnetAttribute", "ec2:CreateDefaultSubnet", "ec2:DescribeAvailabilityZones", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:ModifyInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:ReleaseAddress", "ec2:RebootInstances", "ec2:AuthorizeSecurityGroupEgress", "ec2:TerminateInstances", "ec2:DeleteRoute", "ec2:DescribeNatGateways", "ec2:DisassociateSubnetCidrBlock", "ec2:AllocateAddress", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeVpcs", "ec2:DeleteSecurityGroup", "ec2:DescribeStaleSecurityGroups" ], "Resource": "*" }, { "Sid": "RequiredIfUsingHeavyStemcells", "Effect": "Allow", "Action": [ "ec2:RegisterImage", "ec2:DeregisterImage" ], "Resource": "*" }, { "Sid": "RequiredIfEncryptingStemcells", "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": "*" }, { "Sid": "RequiredIfUsingSnapshotsFeature", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Sid": "RequiredIfUsingElasticIPs", "Effect": "Allow", "Action": [ "ec2:AssociateAddress", "ec2:DescribeAddresses" ], "Resource": "*" }, { "Sid": "RequiredIfUsingSourceDestCheckCloudProperties", "Effect": "Allow", "Action": [ "ec2:ModifyInstanceAttribute" ], "Resource": "*" }, { "Sid": "RequiredIfUsingELBCloudProperties", "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:RegisterInstancesWithLoadBalancer" ], "Resource": "*" }, { "Sid": "RequiredIfUsingLBTargetGroupCloudProperties", "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" }, { "Sid": "RequiredIfUsingSpotBidPriceCloudProperties", "Effect": "Allow", "Action": [ "ec2:CancelSpotInstanceRequests", "ec2:DescribeSpotInstanceRequests", "ec2:RequestSpotInstances" ], "Resource": "*" }, { "Sid": "RequiredIfUsingAdvertisedRoutesCloudProperties", "Effect": "Allow", "Action": [ "ec2:CreateRoute", "ec2:DescribeRouteTables", "ec2:ReplaceRoute" ], "Resource": "*" }, { "Sid": "RequiredIfUsingIAMInstanceProfileCloudProperty", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:*" } ] }