{ "Statement": [ { "Sid": "CloudFormationFull", "Action": [ "cloudformation:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "CloudWatchMetric", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "DynamoDBFull", "Action": [ "dynamodb:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "LogsFull", "Action": [ "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "LogsLimited", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:*:*:log-group:/aws/eks/*:*" ] }, { "Sid": "EnterpriseKubernetesServiceFull", "Action": [ "eks:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "PerformanceInsightsLimited", "Action": [ "pi:*" ], "Effect": "Allow", "Resource": [ "arn:aws:pi:*:*:metrics/rds/*" ] }, { "Sid": "ElasticLoadBalancingFull", "Action": [ "elasticloadbalancing:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "RelationalDatabaseServiceFull", "Action": [ "rds:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "DomainNameServicesFull", "Action": [ "route53:AssociateVPCWithHostedZone", "route53:ChangeResourceRecordSets", "route53:CreateHostedZone", "route53:GetChange", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "CertificateManagerFull", "Action": [ "acm:AddTagsToCertificate", "acm:DeleteCertificate", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "acm:RenewCertificate", "acm:RequestCertificate", "acm:ListTagsForCertificate" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "SimpleStorageServiceFull", "Action": [ "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:PutObject", "s3:DeleteBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketTagging", "s3:GetEncryptionConfiguration", "s3:PutEncryptionConfiguration" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "ElasticFileSystemFull", "Action": [ "elasticfilesystem:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "ElasticComputeCloudFull", "Action": [ "ec2:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "IdentityAccessManagementFull", "Action": [ "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetInstanceProfile", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:PutRolePolicy", "iam:PassRole", "iam:GetRole", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:SimulatePrincipalPolicy", "iam:ListRoles", "iam:TagRole", "iam:UntagRole" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "IdentityAccessManagementLimited", "Action": [ "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/aws-service-role/*" ] }, { "Sid": "AutoScalingFull", "Action": [ "autoscaling:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "ServiceQuotas", "Action": [ "servicequotas:ListServiceQuotas" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "KeyManagementServiceFull", "Action": [ "kms:CreateAlias", "kms:CreateGrant", "kms:CreateKey", "kms:Decrypt", "kms:EnableKeyRotation", "kms:GenerateRandom", "kms:ListKeys", "kms:ListKeyPolicies", "kms:DescribeKey", "kms:ListAliases", "kms:Encrypt", "kms:TagResource", "kms:DeleteAlias", "kms:PutKeyPolicy", "kms:ScheduleKeyDeletion" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "ECRAccessRead", "Effect": "Allow", "Action": [ "ecr:DescribeRepositories", "ecr:DescribeImages", "ecr:GetAuthorizationToken" ], "Resource": [ "*" ] }, { "Sid": "DecodeAuthorizationMessage", "Action": [ "sts:DecodeAuthorizationMessage" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "AllowSsmParams", "Effect": "Allow", "Action": [ "ssm:DescribeParameters", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParameterHistory", "ssm:GetParametersByPath" ], "Resource": [ "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" ] }, { "Sid": "PriceListService", "Action": [ "pricing:GetProducts" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" }