Open WillaFan opened 1 year ago
### Construct json policy Version: 2012-10-17 Effect: Allow service prefix: ec2
Prefix | Action | Summary | Suggested Bundle | Policy (or alias) Group | Category | Resources | Comment |
---|---|---|---|---|---|---|---|
ec2 | DescribeInstances | View instances | View instances, AMIs, and snapshots View instances and CloudWatch metrics Basic launch wizard access | Read-only access Use the EC2 launch wizard | Describe* | * | |
ec2 | DescribeInstanceTypes | To view and select an instance type | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | |
ec2 | DescribeImages | To view and select an AMI | View instances, AMIs, and snapshots Basic launch wizard access | Read-only access Use the EC2 launch wizard | Describe* | * | |
ec2 | DescribeTags | View instances, AMIs, and snapshots | Read-only access | Describe* | * | ||
ec2 | DescribeSnapshots | View snapshots | View instances, AMIs, and snapshots | Read-only access | Describe* | * | |
ec2 | DescribeKeyPairs | To select an existing key pair, or to create a new one | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | * |
ec2 | DescribeVpcs | To view the available network options | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | |
ec2 | DescribeSubnets | To view all available subnets for the chosen VPC | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | |
ec2 | DescribeSecurityGroups | To view and select an existing security group, or to create a new one | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | |
ec2 | CreateSecurityGroup | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | ||
ec2 | CreateKeyPair | Basic launch wizard access | Use the EC2 launch wizard | * | * | ||
ec2 | AuthorizeSecurityGroupIngress | To add inbound rules | Basic launch wizard access | Use the EC2 launch wizard | Describe* | * | |
ec2 | RunInstances | Basic launch wizard access | Use the EC2 launch wizard | * | new object | ||
ec2 | DescribeAvailabilityZones | To view and select a specific Availability Zone | Describe* | * | more options | ||
ec2 | DescribeNetworkInterfaces | To view and select existing network interfaces for the selected subnet | Describe* | * | more options | ||
ec2 | CreateTags | To tag the resources that are created by RunInstances | * | more options | |||
cloudwatch | DescribeAlarms | View metrics | View instances and CloudWatch metrics | Read-only access | Describe* | * | |
cloudwatch | GetMetricStatistics | View metrics | View instances and CloudWatch metrics | Read-only access | * |
(cont.) To use Systems Manager parameters when selectin
Examples
Read-only access
Use the EC2 launch wizard
Work with volumes
Work with security groups
Work with Elastic IP addresses
Work with Reserved Instances
example: ec2:Describe* - support resource-level permissions, which in other means, view individual resources in console
To add outbound rules to VPC security groups, users must be granted permission to use the ec2:AuthorizeSecurityGroupEgress API action. To modify or delete existing rules, users must be granted permission to use the relevant ec2:RevokeSecurityGroup* API action.
other related, Control access to EC2 resources using resource tags.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html may help
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html may help