Skip to content

Minimum IAM policy

This document describes the minimum IAM policy required to run core examples that we run in our E2E workflow , mainly focused on the list of IAM actions.

Note: The policy resource is set as * to allow all resources, this is not a recommended practice.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "aps:CreateAlertManagerDefinition",
              "aps:CreateWorkspace",
              "aps:DeleteAlertManagerDefinition",
              "aps:DeleteWorkspace",
              "aps:DescribeAlertManagerDefinition",
              "aps:DescribeWorkspace",
              "aps:ListTagsForResource",
              "autoscaling:CreateAutoScalingGroup",
              "autoscaling:CreateOrUpdateTags",
              "autoscaling:DeleteAutoScalingGroup",
              "autoscaling:DeleteLifecycleHook",
              "autoscaling:DeleteTags",
              "autoscaling:DescribeAutoScalingGroups",
              "autoscaling:DescribeLifecycleHooks",
              "autoscaling:DescribeTags",
              "autoscaling:PutLifecycleHook",
              "autoscaling:SetInstanceProtection",
              "autoscaling:UpdateAutoScalingGroup",
              "ec2:AllocateAddress",
              "ec2:AssociateRouteTable",
              "ec2:AttachInternetGateway",
              "ec2:AuthorizeSecurityGroupEgress",
              "ec2:AuthorizeSecurityGroupIngress",
              "ec2:CreateEgressOnlyInternetGateway",
              "ec2:CreateInternetGateway",
              "ec2:CreateLaunchTemplate",
              "ec2:CreateNatGateway",
              "ec2:CreateNetworkAclEntry",
              "ec2:CreateRoute",
              "ec2:CreateRouteTable",
              "ec2:CreateSecurityGroup",
              "ec2:CreateSubnet",
              "ec2:CreateTags",
              "ec2:CreateVpc",
              "ec2:DeleteEgressOnlyInternetGateway",
              "ec2:DeleteInternetGateway",
              "ec2:DeleteLaunchTemplate",
              "ec2:DeleteNatGateway",
              "ec2:DeleteNetworkAclEntry",
              "ec2:DeleteRoute",
              "ec2:DeleteRouteTable",
              "ec2:DeleteSecurityGroup",
              "ec2:DeleteSubnet",
              "ec2:DeleteTags",
              "ec2:DeleteVpc",
              "ec2:DescribeAccountAttributes",
              "ec2:DescribeAddresses",
              "ec2:DescribeAvailabilityZones",
              "ec2:DescribeEgressOnlyInternetGateways",
              "ec2:DescribeImages",
              "ec2:DescribeInternetGateways",
              "ec2:DescribeLaunchTemplateVersions",
              "ec2:DescribeLaunchTemplates",
              "ec2:DescribeNatGateways",
              "ec2:DescribeNetworkAcls",
              "ec2:DescribeNetworkInterfaces",
              "ec2:DescribeRouteTables",
              "ec2:DescribeSecurityGroups",
              "ec2:DescribeSubnets",
              "ec2:DescribeTags",
              "ec2:DescribeVpcAttribute",
              "ec2:DescribeVpcClassicLink",
              "ec2:DescribeVpcClassicLinkDnsSupport",
              "ec2:DescribeVpcs",
              "ec2:DetachInternetGateway",
              "ec2:DisassociateRouteTable",
              "ec2:ModifySubnetAttribute",
              "ec2:ModifyVpcAttribute",
              "ec2:ReleaseAddress",
              "ec2:RevokeSecurityGroupEgress",
              "ec2:RevokeSecurityGroupIngress",
              "eks:CreateAddon",
              "eks:CreateCluster",
              "eks:CreateFargateProfile",
              "eks:CreateNodegroup",
              "eks:DeleteAddon",
              "eks:DeleteCluster",
              "eks:DeleteFargateProfile",
              "eks:DeleteNodegroup",
              "eks:DescribeAddon",
              "eks:DescribeAddonVersions",
              "eks:DescribeCluster",
              "eks:DescribeFargateProfile",
              "eks:DescribeNodegroup",
              "elasticfilesystem:CreateFileSystem",
              "elasticfilesystem:CreateMountTarget",
              "elasticfilesystem:DeleteFileSystem",
              "elasticfilesystem:DeleteMountTarget",
              "elasticfilesystem:DescribeFileSystems",
              "elasticfilesystem:DescribeLifecycleConfiguration",
              "elasticfilesystem:DescribeMountTargetSecurityGroups",
              "elasticfilesystem:DescribeMountTargets",
              "emr-containers:CreateVirtualCluster",
              "emr-containers:DeleteVirtualCluster",
              "emr-containers:DescribeVirtualCluster",
              "events:DeleteRule",
              "events:DescribeRule",
              "events:ListTagsForResource",
              "events:ListTargetsByRule",
              "events:PutRule",
              "events:PutTargets",
              "events:RemoveTargets",
              "iam:AddRoleToInstanceProfile",
              "iam:AttachRolePolicy",
              "iam:CreateInstanceProfile",
              "iam:CreateOpenIDConnectProvider",
              "iam:CreatePolicy",
              "iam:CreateRole",
              "iam:CreateServiceLinkedRole",
              "iam:DeleteInstanceProfile",
              "iam:DeleteOpenIDConnectProvider",
              "iam:DeletePolicy",
              "iam:DeleteRole",
              "iam:DetachRolePolicy",
              "iam:GetInstanceProfile",
              "iam:GetOpenIDConnectProvider",
              "iam:GetPolicy",
              "iam:GetPolicyVersion",
              "iam:GetRole",
              "iam:ListAttachedRolePolicies",
              "iam:ListInstanceProfilesForRole",
              "iam:ListPolicyVersions",
              "iam:ListRolePolicies",
              "iam:PassRole",
              "iam:RemoveRoleFromInstanceProfile",
              "iam:TagInstanceProfile",
              "iam:UpdateAssumeRolePolicy",
              "kms:CreateAlias",
              "kms:CreateKey",
              "kms:DeleteAlias",
              "kms:DescribeKey",
              "kms:EnableKeyRotation",
              "kms:GetKeyPolicy",
              "kms:GetKeyRotationStatus",
              "kms:ListAliases",
              "kms:ListResourceTags",
              "kms:PutKeyPolicy",
              "kms:ScheduleKeyDeletion",
              "kms:TagResource",
              "logs:CreateLogGroup",
              "logs:DeleteLogGroup",
              "logs:DescribeLogGroups",
              "logs:ListTagsLogGroup",
              "logs:PutRetentionPolicy",
              "s3:CreateBucket",
              "s3:DeleteBucket",
              "s3:DeleteBucketOwnershipControls",
              "s3:DeleteBucketPolicy",
              "s3:DeleteObject",
              "s3:GetAccelerateConfiguration",
              "s3:GetBucketAcl",
              "s3:GetBucketCORS",
              "s3:GetBucketLogging",
              "s3:GetBucketObjectLockConfiguration",
              "s3:GetBucketOwnershipControls",
              "s3:GetBucketPolicy",
              "s3:GetBucketPublicAccessBlock",
              "s3:GetBucketRequestPayment",
              "s3:GetBucketTagging",
              "s3:GetBucketVersioning",
              "s3:GetBucketWebsite",
              "s3:GetEncryptionConfiguration",
              "s3:GetLifecycleConfiguration",
              "s3:GetObject",
              "s3:GetObjectTagging",
              "s3:GetObjectVersion",
              "s3:GetReplicationConfiguration",
              "s3:ListAllMyBuckets",
              "s3:ListBucket",
              "s3:PutBucketAcl",
              "s3:PutBucketOwnershipControls",
              "s3:PutBucketPolicy",
              "s3:PutBucketPublicAccessBlock",
              "s3:PutBucketTagging",
              "s3:PutBucketVersioning",
              "s3:PutEncryptionConfiguration",
              "s3:PutObject",
              "secretsmanager:CreateSecret",
              "secretsmanager:DeleteSecret",
              "secretsmanager:DescribeSecret",
              "secretsmanager:GetResourcePolicy",
              "secretsmanager:GetSecretValue",
              "secretsmanager:PutSecretValue",
              "sqs:CreateQueue",
              "sqs:DeleteQueue",
              "sqs:GetQueueAttributes",
              "sqs:ListQueueTags",
              "sqs:SetQueueAttributes",
              "sqs:TagQueue",
              "sts:GetCallerIdentity"
          ],
          "Resource": "*"
      }
  ]
}

How this policy was generated?

For each example we run in the E2E workflow, we run iamlive in the background in CSM mode to help generate the policy.
After generating the policy for each example, we merge the generated policies into a single policy shown above.

To learn more about the implementation you can review the GitHub workflow itself