Using a different resource role policy

[davidski]

We have a preexisting policy for our instance resource role that is more locked down than the one in this repository. Can I substitute my policy safely in here or is there substitution performed by the deploy script that I need to take into account?

Our preexisting policy looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1420118790000",
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "ec2:ResourceTag/project": "VulnPryer"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1420118924000",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::analysis.cism.sch/vulndb"
      ]
    }
  ]
}

[abbyyacat]

The roles are refreshed every time the deployment script is run. Fee free to substitute/use the policy above.

Please be mindful of the output S3 bucket. Also take note that it is also possible that an issue be encountered since we have not tested the proposed new policy.

[davidski]

Updated via b9102ba00f32230675278bfd44fb73cf114354fd.