{ "Version": "2012-10-17", "Statement": [ { "Sid": "BodoPlatformEC2Tags", "Effect": "Allow", "Action": ["ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeTags"], "Resource": "*" }, { "Sid": "BodoPlatformEC2AMI", "Effect": "Allow", "Action": ["ec2:DescribeImages", "ec2:DescribeImageAttribute"], "Resource": "*" }, { "Sid": "BodoPlatformKMS", "Effect": "Allow", "Action": [ "kms:CreateKey", "kms:CreateAlias", "kms:TagResource", "kms:ListResourceTags", "kms:ListAliases", "kms:PutKeyPolicy", "kms:DeleteAlias", "kms:ScheduleKeyDeletion", "kms:EnableKeyRotation", "kms:Encrypt", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:UntagResource" ], "Resource": "*" }, { "Sid": "BodoPlatformSSM", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:ListTagsForResource", "ssm:DescribeParameters", "ssm:PutParameter", "ssm:Delete*", "ssm:GetParameter*", "ssm:RemoveTagsFromResource" ], "Resource": "arn:aws:ssm:*:*:parameter/*bodo*" }, { "Sid": "BodoPlatformIAMPolicy", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:PassRole", "iam:SimulatePrincipalPolicy" ], "Resource": "*" }, { "Sid": "BodoPlatformIAMPolicyAttach", "Effect": "Allow", "Action": ["iam:AttachRolePolicy", "iam:DetachRolePolicy"], "Resource": "*", "Condition": { "StringLike": { "iam:PolicyARN": "arn:aws:iam::*:policy/bodo*" } } }, { "Sid": "BodoPlatformIAMPolicyModify", "Effect": "Allow", "Action": [ "iam:Create*", "iam:Delete*", "iam:List*", "iam:Get*", "iam:TagPolicy", "iam:UntagPolicy" ], "Resource": "arn:aws:iam::*:policy/bodo*" }, { "Sid": "BodoPlatformIAMRoles", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:CreateServiceLinkedRole", "iam:ListRolePolicies", "iam:TagRole", "iam:UntagRole" ], "Resource": "arn:aws:iam::*:role/bodo*" }, { "Sid": "BodoPlatformIAMInstanceProfile", "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:CreateInstanceProfile", "iam:GetInstanceProfile", "iam:DeleteInstanceProfile", "iam:TagInstanceProfile", "iam:UntagInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/bodo*" }, { "Sid": "BodoWorkspaceS3Storage", "Effect": "Allow", "Action": ["s3:*"], "Resource": "arn:aws:s3:::bodo*" }, { "Sid": "BodoWorkspaceEFSStorage", "Effect": "Allow", "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:TagResource", "elasticfilesystem:UntagResource", "elasticfilesystem:ListTagsForResource", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Sid": "BodoWorkspaceEFSStorageModify", "Effect": "Allow", "Action": ["elasticfilesystem:*"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/BodoPlatform": "manage" } } }, { "Sid": "BodoWorkspaceManageNetwork", "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroup*", "ec2:DescribeNetwork*", "ec2:DescribeNatGateways", "ec2:DescribeRouteTables", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeInternetGateways", "ec2:DescribeLocalGateways", "ec2:DescribePrefixLists", "ec2:CreateVpc", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateRouteTable", "ec2:CreateRoute", "ec2:CreateSubnet", "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:AllocateAddress", "ec2:ReleaseAddress", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DeleteNetworkAclEntry", "ec2:ReplaceNetworkAclEntry" ], "Resource": "*" }, { "Sid": "BodoPlatformEC2NetworkModify", "Effect": "Allow", "Action": [ "ec2:DeleteVpc", "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteRouteTable", "ec2:DeleteRoute", "ec2:DeleteSubnet", "ec2:DeleteSecurityGroup", "ec2:DeleteVpcEndpoints", "ec2:AttachInternetGateway", "ec2:AssociateRouteTable", "ec2:DisassociateRouteTable", "ec2:DetachInternetGateway", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/BodoPlatform": "manage" } } }, { "Sid": "BodoClusterEC2", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeAccountAttributes", "ec2:DescribeClassicLinkInstances", "ec2:DescribeKeyPairs", "ec2:DescribePlacementGroups", "ec2:DescribeInstance*" ], "Resource": "*" }, { "Sid": "BodoClusterEC2Modify", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/BodoPlatform": "manage" } } }, { "Sid": "BodoClusterAutoScaling", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DisableMetricsCollection", "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:StartInstanceRefresh", "autoscaling:CancelInstanceRefresh", "autoscaling:DescribeInstanceRefreshes", "autoscaling:RollbackInstanceRefresh", "autoscaling:SetInstanceProtection" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/BodoASG*" }, { "Sid": "BodoClusterAutoScalingDescribe", "Effect": "Allow", "Action": [ "autoscaling:DescribeTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeInstanceRefreshes" ], "Resource": "*" }, { "Sid": "BodoClusterPlacementGroup", "Effect": "Allow", "Action": ["ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup"], "Resource": "arn:aws:ec2:*:*:placement-group/bodo*" }, { "Sid": "BodoClusterLT", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*" }, { "Sid": "BodoClusterLTModify", "Effect": "Allow", "Action": [ "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteLaunchTemplate", "ec2:ModifyLaunchTemplate" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/BodoPlatform": "manage" } } }, { "Sid": "BodoPlatformEC2CapacityReservation", "Effect": "Allow", "Action": [ "ec2:CancelCapacityReservation", "ec2:DescribeCapacityReservations", "ec2:GetCapacityReservationUsage", "ec2:ModifyCapacityReservation", "ec2:CreateCapacityReservation" ], "Resource": "*" } ] }