{ "Policies": { "CommvaultCleanroomRole-S3CloudLibPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1490385696805", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:RestoreObject", "s3:ListBucketVersions", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketVersioning", "s3:GetBucketVersioning", "s3:GetBucketObjectLockConfiguration" ], "Effect": "Allow", "Resource": "*" } ] }, "CommvaultCleanroomRole-FSxPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "FSx", "Effect": "Allow", "Action": [ "fsx:DescribeFileSystems", "fsx:DescribeStorageVirtualMachines", "fsx:DescribeVolumes", "fsx:ListTagsForResource", "fsx:DescribeDataRepositoryTasks" ], "Resource": "*" }, { "Sid": "EFS", "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-EC2Policy": { "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonEC2BackupAndRestore", "Effect": "Allow", "Action": [ "ebs:CompleteSnapshot", "ebs:GetSnapshotBlock", "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ebs:PutSnapshotBlock", "ebs:StartSnapshot", "ec2:AssociateIamInstanceProfile", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CreateImage", "ec2:CreateNetworkInterface", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteNetworkInterface", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", "ec2:DisassociateIamInstanceProfile", "ec2:GetConsoleOutput", "ec2:GetEbsDefaultKmsKeyId", "ec2:GetEbsEncryptionByDefault", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RegisterImage", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "iam:GetAccountAuthorizationDetails", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetUser", "iam:ListInstanceProfiles", "iam:ListRoles", "kms:ListAliases" ], "Resource": "*" }, { "Sid": "RestrictModifyInstanceAttributeRestoreAddon", "Effect": "Allow", "Action": "ec2:ModifyInstanceAttribute", "Resource": "*", "Condition": { "StringLikeIfExists": { "ec2:Attribute/instanceType": "*" }, "StringEqualsIfExists": { "ec2:Attribute/ebsOptimized": [ "false", "true" ], "ec2:Attribute/blockDeviceMapping.DeleteOnTermination": [ "false", "true" ], "ec2:Attribute/disableApiTermination": [ "false", "true" ] } } }, { "Sid": "RestrictedVolumeAndSnapshotDeletion", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/_GX_BACKUP_": "*" } } }, { "Sid": "RestrictedTagDeletion", "Effect": "Allow", "Action": "ec2:DeleteTags", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "CV_Integrity_Snap", "CV_Retain_Snap", "Description", "Name", "_GX_AMI_", "_GX_BACKUP_", "commvault:vendor", "commvault:createdBy" ] } } }, { "Sid": "RestrictedVolumeDetach", "Effect": "Allow", "Action": "ec2:DetachVolume", "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { "StringLike": { "ec2:ResourceTag/_GX_BACKUP_": "*" } } }, { "Sid": "RestrictedDeleteInstance1", "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/CV_Integrity_Snap": "*" } } }, { "Sid": "RestrictedDeleteInstance2", "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/_GX_BACKUP_": "*" } } }, { "Sid": "AllowDetachfromInstance", "Effect": "Allow", "Action": "ec2:DetachVolume", "Resource": "arn:*:ec2:*:*:instance/*" }, { "Sid": "RestrictPassRoleToEC2RestoreAddon", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:*:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, "ArnLike": { "iam:AssociatedResourceARN": [ "arn:*:ec2:*:*:instance/*" ] } } }, { "Sid": "HotaddBackupAddon", "Effect": "Allow", "Action": [ "ec2:DescribeVolumesModifications", "ec2:ModifySnapshotAttribute", "ec2:ModifyVolume" ], "Resource": "*" }, { "Sid": "ImportRestoreAddon", "Effect": "Allow", "Action": [ "ec2:CancelImportTask", "ec2:DescribeImportImageTasks", "ec2:ImportImage", "ec2:ModifyImageAttribute" ], "Resource": "*" }, { "Sid": "KMSPermissionsIfNotAllowedAtKeyPolicy", "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:CreateGrant", "kms:CreateKey", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:GenerateDataKeyWithoutPlaintext", "kms:ListAliases", "kms:ListGrants", "kms:ListKeys", "kms:ListResourceTags", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:TagResource" ], "Resource": "*" }, { "Sid": "AgentlessRestore", "Effect": "Allow", "Action": [ "ssm:CancelCommand", "ssm:DescribeInstanceInformation", "ssm:ListCommands" ], "Resource": "*" }, { "Sid": "RestrictedSendCommandForAgentlessRestore", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:*:ec2:*:*:instance/*", "arn:*:ssm:*:*:document/AWS-RunPowerShellScript", "arn:*:ssm:*:*:document/AWS-RunShellScript", "arn:*:ssm:*:*:document/AWS-UpdateSSMAgent" ] }, { "Sid": "S3PermissionsForRestore", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectAcl", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutBucketAcl", "s3:PutBucketOwnershipControls", "s3:PutEncryptionConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Resource": "*" }, { "Sid": "SnapReplication", "Effect": "Allow", "Action": [ "ec2:CopySnapshot", "ec2:ModifySnapshotAttribute" ], "Resource": "*" }, { "Sid": "VPCBackupPermissions", "Effect": "Allow", "Action": [ "ec2:DescribeCarrierGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeFlowLogs", "ec2:DescribeInternetGateways", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeRouteTables", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGateways", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetManagedPrefixListEntries", "ec2:GetSubnetCidrReservations" ], "Resource": "*" }, { "Sid": "EbsDirectOptional", "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy" ], "Resource": "*" }, { "Sid": "PermissionForBetterJPROptional", "Effect": "Allow", "Action": [ "sts:DecodeAuthorizationMessage" ], "Resource": "*" }, { "Sid": "TenancyPermissionsForBackupAndRestore", "Effect": "Allow", "Action": [ "ec2:DescribeHosts", "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource", "resource-groups:GetGroupConfiguration", "resource-groups:ListGroups" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-RDSPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds-db:connect", "rds:RestoreDBClusterFromSnapshot", "rds:DescribeDBSnapshots", "rds:CopyDBSnapshot", "rds:CopyDBClusterSnapshot", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:RestoreDBInstanceFromDBSnapshot", "rds:CreateDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:CreateDBClusterSnapshot", "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBClusterSnapshotAttribute", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:CopyOptionGroup", "rds:RestoreDBInstanceToPointInTime", "rds:RestoreDBClusterToPointInTime", "rds:CreateTenantDatabase", "rds:ModifyDBInstance", "rds:ModifyDBCluster", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBClusterAutomatedBackups", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "iam:GetUser", "iam:GetAccountAuthorizationDetails", "iam:PassRole", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey*", "kms:ListKeys", "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:ListKeys", "kms:ListAliases", "kms:ListResourceTags" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "rds:DeleteDBInstance", "rds:DeleteDBCluster" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "_GX_BACKUP_" ] } } } ] }, "CommvaultCleanroomRole-RedshiftPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "redshift:RestoreFromClusterSnapshot", "redshift:DeleteClusterSnapshot", "redshift:CreateClusterSnapshot", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusters", "redshift:CreateTags", "redshift:EnableSnapshotCopy", "redshift:DisableSnapshotCopy", "redshift:DescribeTags", "redshift:CreateSnapshotCopyGrant", "redshift:DescribeSnapshotCopyGrants", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "iam:GetUser", "iam:GetAccountAuthorizationDetails", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey*", "kms:ListKeys", "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ListResourceTags" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-DocDBPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds:RestoreDBClusterFromSnapshot", "rds:DeleteDBClusterSnapshot", "rds:CreateDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:CreateDBClusterSnapshot", "rds:CopyDBClusterSnapshot", "rds:ListTagsForResource", "rds:AddTagsToResource", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "iam:GetUser", "iam:GetAccountAuthorizationDetails", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyWithoutPlaintext", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:CreateGrant", "kms:DescribeKey", "kms:ListKeys", "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:ListResourceTags" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-FSPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/_GX_BACKUP_": "*" } } }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeTags", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "ec2:DetachVolume", "kms:ReEncrypt*", "kms:ListKeys", "kms:ListAliases", "kms:GenerateDataKeyWithoutPlaintext", "kms:GenerateDataKey*", "kms:Encrypt", "kms:DescribeKey*", "kms:Decrypt", "kms:CreateGrant", "iam:GetUser", "iam:GetAccountAuthorizationDetails" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-DynamoDBPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:PutScalingPolicy", "dynamodb:BatchWriteItem", "dynamodb:CreateTable", "dynamodb:CreateTableReplica", "dynamodb:DescribeTimeToLive", "dynamodb:UpdateTimeToLive", "dynamodb:PutItem", "dynamodb:DeleteTable", "dynamodb:DeleteItem", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListGlobalTables", "dynamodb:ListStreams", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "dynamodb:Scan", "dynamodb:Describestream", "dynamodb:UpdateTable", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeExport", "dynamodb:ExportTableToPointInTime", "dynamodb:DescribeBackup", "dynamodb:DescribeImport", "dynamodb:ListImports", "dynamodb:ListExports", "dynamodb:ImportTable", "dynamodb:DescribeTableReplicaAutoScaling", "dynamodb:UpdateTableReplicaAutoScaling", "dynamodb:UpdateTable", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:UpdateContinuousBackups", "dynamodb:UpdateItem", "dynamodb:TagResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "iam:GetAccountAuthorizationDetails", "iam:GetUser", "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ListGrants", "kms:Encrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:TagLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:GetLogEvents", "logs:DeleteLogStream", "s3:CreateBucket", "s3:ListBucketVersions", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:PutBucketAcl", "s3:PutObjectTagging", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:GetBucketAcl", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-VPCPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VPCRestorePermissions", "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:AssociateDhcpOptions", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachVpnGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateDhcpOptions", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateFlowLogs", "ec2:CreateInternetGateway", "ec2:CreateManagedPrefixList", "ec2:CreateNatGateway", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateSubnetCidrReservation", "ec2:CreateTransitGateway", "ec2:CreateTransitGatewayVpcAttachment", "ec2:CreateVpc", "ec2:CreateVpnGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteEgressOnlyInternetGateway", "ec2:DeleteInternetGateway", "ec2:DeleteManagedPrefixList", "ec2:DeleteNatGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTransitGateway", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DeleteVpc", "ec2:DeleteVpnGateway", "ec2:DescribeSecurityGroupRules", "ec2:DetachInternetGateway", "ec2:DetachVpnGateway", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ReplaceNetworkAclAssociation", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "s3:PutObjectTagging", "s3:GetObjectTagging" ], "Resource": "*" }, { "Sid": "VPCRestorePermissionToCreateFlowLog", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:*:iam::*:role/*" } ] }, "CommvaultCleanroomRole-S3Policy": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketAcl", "s3:PutObjectTagging", "s3:DeleteObject", "s3:GetBucketWebsite", "s3:PutReplicationConfiguration", "s3:DeleteObjectVersionTagging", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:ListBucketVersions", "s3:RestoreObject", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:PutBucketTagging", "s3:GetBucketRequestPayment", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:PutBucketVersioning", "s3:PutObjectAcl", "s3:GetBucketPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutMetricsConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:PutInventoryConfiguration", "s3:PutBucketWebsite", "s3:ListAllMyBuckets", "s3:PutObjectRetention", "s3:GetBucketCORS", "s3:PutBucketPolicy", "s3:GetBucketLocation" ], "Resource": "*" } ] }, "CommvaultCleanroomRole-RecoveryPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "IAMRoleManagement", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:UpdateRole", "iam:UpdateRoleDescription", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetRolePolicy", "iam:DeleteRole", "iam:TagRole", "iam:UntagRole", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AttachRolePolicy", "iam:ListAttachedRolePolicies", "iam:DetachRolePolicy", "iam:ListRolePolicies" ], "Resource": "*" }, { "Sid": "VPCEndpointManagement", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcEndpoints", "ec2:ModifyVpcEndpoint", "ec2:DeleteVpcEndpoints" ], "Resource": "*" }, { "Sid": "SecurityGroupManagement", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:ModifySecurityGroupRules", "ec2:DeleteSecurityGroup" ], "Resource": "*" }, { "Sid": "InternetGatewayManagement", "Effect": "Allow", "Action": [ "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DetachInternetGateway", "ec2:DescribeInternetGateways", "ec2:DeleteInternetGateway" ], "Resource": "*" }, { "Sid": "NatGatewayManagement", "Effect": "Allow", "Action": [ "ec2:CreateNatGateway", "ec2:DescribeNatGateways", "ec2:AssociateNatGatewayAddress", "ec2:DisassociateNatGatewayAddress", "ec2:DeleteNatGateway", "ec2:AssociateAddress", "ec2:AllocateAddress", "ec2:ReleaseAddress" ], "Resource": "*" }, { "Sid": "RouteTableManagement", "Effect": "Allow", "Action": [ "ec2:CreateRouteTable", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:ReplaceRoute", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:AssociateRouteTable", "ec2:DisassociateRouteTable", "ec2:ReplaceRouteTableAssociation" ], "Resource": "*" }, { "Sid": "EC2Management", "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": "*" }, { "Sid": "S3Management", "Effect": "Allow", "Action": [ "s3:DeleteBucket" ], "Resource": "*" }, { "Sid": "PrefixListManagement", "Effect": "Allow", "Action": [ "ec2:ModifyManagedPrefixList" ], "Resource": "*" } ] } } }