{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateIamResourcesForCplnPrefix",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:UpdateRoleDescription",
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:instance-profile/cpln-*",
"arn:aws:iam::*:policy/cpln-*",
"arn:aws:iam::*:role/cpln-*"
]
},
{
"Sid": "ValidateConfiguration",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:DescribeKey",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"ec2:DescribeKeyPairs",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
},
{
"Sid": "PrepareCluster",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:ModifyLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags",
"autoscaling:CreateOrUpdateTags",
"ec2:RunInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImages",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:StartInstanceRefresh",
"ec2:CreateLaunchTemplateVersion",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "Cleanup",
"Effect": "Allow",
"Action": [
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "AmiLookupInSSM",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:DescribeParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest/*",
"arn:aws:ssm:*::parameter/aws/service/canonical/*",
"arn:aws:ssm:*::parameter/aws/service/eks/*"
]
}
]
}