Restricted IAM Policies on VPC & Tags
Restricted IAM Policies on VPCs and Resource Tags.¶
Allow updates and deletes on resources ONLY in specific VPCs and with specific AWS tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:GetOpenIDConnectProvider",
"iam:ListOpenIDConnectProviderTags"
"iam:TagRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoleTags",
"iam:ListPolicyVersions",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListChangeSets",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackSet"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStackSet",
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStackSet",
"cloudformation:UpdateStackSet",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeNodegroup",
"eks:CreatePodIdentityAssociation",
"eks:DescribeClusterVersions",
"eks:DescribePodIdentityAssociation",
"eks:DeletePodIdentityAssociation",
"eks:UpdatePodIdentityAssociation",
"eks:ListPodIdentityAssociations",
"eks:DescribeCluster",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeAddonConfiguration",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:ListUpdates",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:ListAddons",
"eks:ListFargateProfiles",
"eks:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:DeleteCluster",
"eks:UntagResource",
"eks:UpdateAddon",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:DeleteAddon",
"eks:DeleteFargateProfile",
"eks:DeleteNodegroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:CreateFargateProfile"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:UpdateClusterVersion",
"eks:UpdateClusterConfig",
"eks:DeleteCluster",
"eks:UpdateAddon",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DeleteNodegroup",
"eks:DeleteFargateProfile",
"eks:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:SuspendProcesses",
"autoscaling:DeleteTags",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcAttribute",
"ec2:DescribeInternetGateways",
"ec2:DescribeTags",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVolumes",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeNatGateways"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplate",
"ec2:ImportKeyPair"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "<KEY>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:AssociateRouteTable",
"ec2:ReleaseAddress",
"ec2:AllocateAddress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "<KEY>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:<AWS_REGION>:<ACCOUNT_ID>:vpc/<vpc-id>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/*"
}
]
}
Note
For customers who will manage their own IAM Roles and Policies, (3) ARNs are required when provisioning managed K8s clusters.
- Service Role ARN
- Instance Profile ARN
- Instance Role ARN