AWS policies required by Buddy
What are AWS policies
In short, the policies define permissions and access control for AWS resources, such as Amazon EC2 or S3, and are associated with entities such as users, groups, and roles.
Below you will find the list of identity-based policies (AWS IAM policies) which control access to the Amazon Web Services. Make sure to grant access to all policies listed for the particular service. Missing any required policies may deny access to the selected AWS service.
- All policy and access management is handled via the AWS Management Console.
- You can learn more about using and creating policies in the official documentation on policies and permissions in AWS IAM
CloudFront
Amazon CloudFront is a content delivery network (CDN) service that lets you deliver static and dynamic content with low latency and high transfer speeds.
cloudfront:ListDistributions
cloudfront:CreateInvalidation
cloudfront:GetInvalidation
CodeDeploy
AWS CodeDeploy is a service that automates code deployments to cloud instances and self-hosted servers.
codedeploy:ListApplications
codedeploy:ListDeploymentGroups
codedeploy:ListDeploymentConfigs
codedeploy:CreateDeployment
codedeploy:GetDeployment
codedeploy:GetDeploymentConfig
codedeploy:GetApplicationRevision
codedeploy:RegisterApplicationRevision
s3:ListBucket
s3:CreateBucket
s3:GetObject
s3:PutObject
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
s3:ListBucketMultipartUploads
Encrypted S3 buckets
kms:Decrypt
kms:Encrypt
kms:GenerateDataKey
ECR
Amazon ECR is a fully managed Docker container registry service that simplifies storing, managing, and deployment of Docker container images.
ecr:CreateRepository
ecr:DescribeRepositories
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:CompleteLayerUpload
ecr:InitiateLayerUpload
ecr:PutImage
ecr:UploadLayerPart
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ECS
Amazon ECS is a high-performance container orchestration service that supports Docker containers and allows you to run and scale containerized applications.
ecs:ListClusters
ecs:ListServices
ecs:RegisterTaskDefinition
ecs:DescribeServices
ecs:UpdateService
If your tasks have roles, also the following AWS IAM policy is needed:
iam:PassRole
See here for more information.
EKS
Amazon EKS is a managed Kubernetes service that simplifies the process of deploying, managing, and scaling containerized applications.
eks:ListClusters
eks:DescribeCluster
Elastic Beanstalk
AWS Elastic Beanstalk is an orchestration service for deploying applications and managing applications in the Amazon cloud.
AWSElasticBeanstalkFullAcces
.
elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:CreateApplicationVersion
elasticbeanstalk:DescribeApplicationVersions
elasticbeanstalk:UpdateApplication
elasticbeanstalk:UpdateEnvironment
elasticbeanstalk:UpdateApplicationVersion
s3:CreateBucket
s3:PutObject
s3:GetObject
s3:GetObjectAcl
s3:ListBucket
s3:ListBuckets
cloudformation:GetTemplate
cloudformation:ListStackResources
Elastic Beanstalk Monitoring
Elastic Beanstalk Monitoring provides insights into the health and performance of your Elastic Beanstalk environment by collecting and displaying metrics about CPU utilization, latency, request count, and more.
elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:DescribeEnvironmentHealth
Lambda
AWS Lambda is a serverless compute service for running code without provisioning or managing servers.
lambda:ListFunctions
lambda:InvokeFunction
lambda:UpdateFunctionCode
S3
Amazon S3 is an object storage service that provides industry-leading scalability, data availability, security, and performance.
s3:ListAllMyBuckets
s3:GetObject
s3:PutObject
s3:PutObjectAcl (required for Public flag)
s3:DeleteObject
s3:ListBucket
s3:PutObjectTagging
s3:DeleteObjectTagging
s3:GetObjectTagging
Encrypted S3 buckets
kms:Decrypt
kms:Encrypt
kms:GenerateDataKey
Sep 23, 2024