diff --git a/bootstrap/AWS_SETUP.md b/bootstrap/AWS_SETUP.md index 2e9fd16..f90df85 100644 --- a/bootstrap/AWS_SETUP.md +++ b/bootstrap/AWS_SETUP.md @@ -13,111 +13,114 @@ This document will walk you through what is required of your Amazon Web Services { "Effect": "Allow", "Action": [ - "iam:ListRoleTags", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:PutRolePolicy", + "dynamodb:CreateTable", "dynamodb:DeleteTable", - "resource-groups:GetGroupConfiguration", - "s3:PutLifecycleConfiguration", + "dynamodb:DescribeTimeToLive", + "dynamodb:ListTables", "dynamodb:DescribeContinuousBackups", - "iam:ListRolePolicies", - "iam:DeleteOpenIDConnectProvider", - "iam:GetRole", + "dynamodb:DescribeTable", + "dynamodb:ListTagsOfResource", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "dynamodb:UpdateContinuousBackups", + "dynamodb:UpdateTable", "dynamodb:UpdateTimeToLive", - "s3:GetBucketWebsite", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "s3:PutReplicationConfiguration", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:CreateOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", "iam:DeleteRole", - "iam:UpdateRoleDescription", - "iam:TagPolicy", - "s3:DeleteBucketPolicy", - "kms:DisableKey", - "s3:GetReplicationConfiguration", - "dynamodb:CreateTable", - "resource-groups:CreateGroup", - "s3:PutBucketObjectLockConfiguration", - "iam:GetOpenIDConnectProvider", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetRole", "iam:GetRolePolicy", - "dynamodb:UpdateTable", - "kms:EnableKey", - "s3:GetLifecycleConfiguration", - "s3:GetBucketTagging", - "s3:UntagResource", - "kms:UntagResource", - "iam:UntagRole", - "dynamodb:ListTables", - "kms:PutKeyPolicy", + "iam:GetOpenIDConnectProvider", + "iam:ListInstanceProfilesForRole", + "iam:ListAttachedRolePolicies", + "iam:ListOpenIDConnectProviders", + "iam:ListOpenIDConnectProviderTags", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListRoleTags", + "iam:PutRolePolicy", "iam:PutRolePermissionsBoundary", + "iam:RemoveClientIDFromOpenIDConnectProvider", + "iam:TagOpenIDConnectProvider", + "iam:TagPolicy", "iam:TagRole", - "dynamodb:ListTagsOfResource", - "resource-groups:GetTags", - "s3:ListBucket", - "kms:ListResourceTags", - "iam:DeleteRolePermissionsBoundary", - "resource-groups:DeleteGroupPolicy", - "iam:ListInstanceProfilesForRole", - "s3:PutBucketTagging", - "iam:DeleteRolePolicy", + "iam:UntagOpenIDConnectProvider", + "iam:UntagPolicy", + "iam:UntagRole", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:UpdateRoleDescription", + "iam:UpdateRole", + "iam:UpdateAssumeRolePolicy", "kms:CreateKey", - "s3:DeleteBucket", - "s3:PutBucketVersioning", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:DisableKey", + "kms:EnableKey", "kms:EnableKeyRotation", "kms:GetKeyPolicy", - "iam:ListRoles", - "s3:GetBucketVersioning", - "resource-groups:PutGroupConfiguration", + "kms:GetKeyRotationStatus", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "resource-groups:CreateGroup", "resource-groups:DeleteGroup", - "s3:PutBucketWebsite", - "s3:PutBucketRequestPayment", - "s3:GetBucketCORS", - "iam:UntagPolicy", - "iam:UpdateRole", - "iam:UntagOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy", - "iam:CreateRole", - "s3:CreateBucket", - "iam:AttachRolePolicy", - "resource-groups:Untag", - "s3:GetBucketObjectLockConfiguration", - "iam:DetachRolePolicy", - "s3:DeleteBucketWebsite", + "resource-groups:DeleteGroupPolicy", "resource-groups:GetGroup", - "dynamodb:DescribeTable", - "kms:GetKeyRotationStatus", - "iam:ListAttachedRolePolicies", - "iam:ListOpenIDConnectProviderTags", - "s3:PutBucketAcl", - "resource-groups:Tag", - "s3:TagResource", - "resource-groups:PutGroupPolicy", - "resource-groups:UpdateGroupQuery", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "kms:DeleteAlias", + "resource-groups:GetGroupConfiguration", "resource-groups:GetGroupQuery", + "resource-groups:GetTags", + "resource-groups:ListGroups", + "resource-groups:PutGroupConfiguration", + "resource-groups:PutGroupPolicy", + "resource-groups:Tag", + "resource-groups:Untag", "resource-groups:UpdateGroup", - "s3:PutAccelerateConfiguration", "resource-groups:GetGroupPolicy", - "s3:GetBucketLogging", + "resource-groups:UpdateGroupQuery", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:DeleteBucketWebsite", "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", - "s3:PutEncryptionConfiguration", - "s3:GetEncryptionConfiguration", - "kms:TagResource", - "dynamodb:TagResource", + "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", - "kms:ScheduleKeyDeletion", - "kms:DescribeKey", - "dynamodb:UntagResource", - "resource-groups:ListGroups", - "dynamodb:DescribeTimeToLive", - "s3:GetBucketAcl", - "iam:CreateOpenIDConnectProvider", - "kms:ListKeys", - "iam:ListOpenIDConnectProviders", - "s3:PutBucketPolicy" + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:ListBucket", + "s3:PutAccelerateConfiguration", + "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketLogging", + "s3:PutBucketObjectLockConfiguration", + "s3:PutBucketPolicy", + "s3:PutBucketPublicAccessBlock", + "s3:PutBucketRequestPayment", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", + "s3:PutBucketWebsite", + "s3:PutEncryptionConfiguration", + "s3:PutLifecycleConfiguration", + "s3:PutReplicationConfiguration", + "s3:TagResource", + "s3:UntagResource" ], "Resource": "*" }