This is an automated email from the ASF dual-hosted git repository.
olehmykolaishyn pushed a commit to branch security_debt/datalab-2986
in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
The following commit(s) were added to refs/heads/security_debt/datalab-2986 by
this push:
new e4a06324b updated policy
e4a06324b is described below
commit e4a06324bf050fd16fa23db98f20c9c9416b2c55
Author: owlleg6 <[email protected]>
AuthorDate: Tue May 3 11:09:41 2022 +0300
updated policy
---
.../src/general/files/aws/ssn_policy.json | 161 +++++++++++----------
1 file changed, 82 insertions(+), 79 deletions(-)
diff --git a/infrastructure-provisioning/src/general/files/aws/ssn_policy.json
b/infrastructure-provisioning/src/general/files/aws/ssn_policy.json
index 89f28c50c..4348e4c2a 100644
--- a/infrastructure-provisioning/src/general/files/aws/ssn_policy.json
+++ b/infrastructure-provisioning/src/general/files/aws/ssn_policy.json
@@ -2,121 +2,124 @@
"Version": "2012-10-17",
"Statement": [
{
- "Action": [
- "iam:CreateRole",
- "iam:CreateInstanceProfile",
- "iam:CreatePolicy",
- "iam:AttachRolePolicy",
- "iam:AddRoleToInstanceProfile",
- "iam:DetachRolePolicy",
- "iam:DeleteInstanceProfile",
- "iam:DeletePolicy",
- "iam:DeleteRolePolicy",
- "iam:DeleteRole",
- "iam:RemoveRoleFromInstanceProfile",
- "iam:GetRole",
- "iam:GetRolePolicy",
- "iam:GetInstanceProfile",
- "iam:GetPolicy",
- "iam:GetUser",
- "iam:ListUsers",
- "iam:ListAccessKeys",
- "iam:PassRole",
- "iam:ListUserPolicies",
- "iam:PutRolePolicy",
- "iam:ListInstanceProfiles",
- "iam:ListAttachedRolePolicies",
- "iam:ListInstanceProfilesForRole",
- "iam:ListRoles",
- "iam:ListPolicies",
- "iam:ListRolePolicies",
- "iam:TagRole"
- ],
"Effect": "Allow",
- "Resource": "*"
- },
- {
"Action": [
- "ec2:CreateVpcEndpoint",
- "ec2:CreateSubnet",
- "ec2:CreateTags",
+ "ec2:AuthorizeSecurityGroupIngress",
+ "ec2:DeleteSubnet",
+ "ec2:DescribeInstances",
"ec2:CreateImage",
+ "ec2:DeleteRouteTable",
+ "ec2:AssociateRouteTable",
+ "ec2:StartInstances",
"ec2:CreateRoute",
+ "ec2:RevokeSecurityGroupEgress",
+ "ec2:DescribeRouteTables",
+ "ec2:CreateTags",
+ "ec2:CreateRouteTable",
+ "ec2:RunInstances",
"ec2:DeregisterImage",
- "ec2:DescribeImages",
+ "ec2:DeleteSnapshot",
"ec2:DescribeAddresses",
+ "ec2:CreateVpcEndpoint",
+ "ec2:DescribeVpcs",
+ "ec2:DeleteSecurityGroup",
+ "ec2:AllocateAddress",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeImages",
+ "ec2:AuthorizeSecurityGroupEgress",
+ "ec2:TerminateInstances",
+ "ec2:StopInstances",
+ "ec2:RevokeSecurityGroupIngress",
+ "ec2:CreateSubnet",
"ec2:AssociateAddress",
+ "ec2:DescribeSubnets",
+ "ec2:ModifyVpcEndpoint",
"ec2:DisassociateAddress",
- "ec2:AllocateAddress",
"ec2:ReleaseAddress",
- "ec2:CreateRouteTable",
- "ec2:CreateSecurityGroup",
- "ec2:AuthorizeSecurityGroupEgress",
- "ec2:AuthorizeSecurityGroupIngress",
- "ec2:AssociateRouteTable",
- "ec2:DeleteRouteTable",
- "ec2:DeleteSubnet",
"ec2:DeleteTags",
- "ec2:DeleteSecurityGroup",
- "ec2:DeleteSnapshot",
- "ec2:DescribeRouteTables",
"ec2:DescribeSpotInstanceRequests",
- "ec2:ModifyVpcEndpoint",
- "ec2:RunInstances",
- "ec2:StartInstances",
- "ec2:StopInstances",
- "ec2:TerminateInstances",
- "ec2:DescribeSubnets",
- "ec2:DescribeVpcs",
- "ec2:DescribeSecurityGroups",
- "ec2:DescribeInstances",
- "ec2:DescribeInstanceStatus",
+ "ec2:CreateSecurityGroup",
"ec2:ModifyInstanceAttribute",
- "ec2:RevokeSecurityGroupEgress",
- "ec2:RevokeSecurityGroupIngress",
- "ec2:AuthorizeSecurityGroupEgress",
- "ec2:AuthorizeSecurityGroupIngress"
+ "ec2:DescribeInstanceStatus"
],
+ "Resource": "*"
+ },
+ {
"Effect": "Allow",
+ "Action": [
+ "iam:RemoveRoleFromInstanceProfile",
+ "iam:CreateRole",
+ "iam:AttachRolePolicy",
+ "iam:PutRolePolicy",
+ "iam:AddRoleToInstanceProfile",
+ "iam:DetachRolePolicy",
+ "iam:ListAttachedRolePolicies",
+ "iam:ListRolePolicies",
+ "iam:ListPolicies",
+ "iam:GetRole",
+ "iam:GetPolicy",
+ "iam:DeleteRole",
+ "iam:GetRolePolicy",
+ "iam:CreateInstanceProfile",
+ "iam:TagRole",
+ "iam:DeletePolicy",
+ "iam:ListInstanceProfilesForRole",
+ "iam:PassRole",
+ "iam:DeleteRolePolicy",
+ "iam:ListAccessKeys",
+ "iam:DeleteInstanceProfile",
+ "iam:GetInstanceProfile",
+ "iam:ListRoles",
+ "iam:ListUserPolicies",
+ "iam:ListInstanceProfiles",
+ "iam:CreatePolicy",
+ "iam:ListUsers",
+ "iam:GetUser"
+ ],
"Resource": "*"
},
{
+ "Effect": "Allow",
"Action": [
"s3:CreateBucket",
- "s3:ListAllMyBuckets",
- "s3:GetBucketLocation",
- "s3:GetBucketTagging",
- "s3:PutBucketTagging",
- "s3:PutBucketPolicy",
- "s3:GetBucketPolicy",
- "s3:DeleteBucket",
"s3:DeleteObject",
+ "s3:PutObject",
"s3:GetObject",
+ "s3:GetBucketTagging",
"s3:ListBucket",
- "s3:PutObject",
- "s3:PutEncryptionConfiguration"
+ "s3:GetBucketPolicy",
+ "s3:PutEncryptionConfiguration",
+ "s3:PutBucketTagging",
+ "s3:DeleteBucket",
+ "s3:ListAllMyBuckets",
+ "s3:PutBucketPolicy",
+ "s3:GetBucketLocation",
+ "s3:PutBucketPublicAccessBlock",
+ "s3:PutBucketVersioning",
+ "s3:ListBucketVersions",
+ "s3:DeleteObjectVersion",
+ "s3:DeleteObjectVersionTagging"
],
- "Effect": "Allow",
"Resource": "*"
},
{
+ "Effect": "Allow",
"Action": [
- "elasticmapreduce:AddTags",
- "elasticmapreduce:RemoveTags",
+ "elasticmapreduce:ListInstances",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
- "elasticmapreduce:RunJobFlow",
- "elasticmapreduce:ListInstances",
- "elasticmapreduce:TerminateJobFlows"
+ "elasticmapreduce:TerminateJobFlows",
+ "elasticmapreduce:RemoveTags",
+ "elasticmapreduce:AddTags",
+ "elasticmapreduce:RunJobFlow"
],
- "Effect": "Allow",
"Resource": "*"
},
{
+ "Effect": "Allow",
"Action": [
"pricing:GetProducts"
],
- "Effect": "Allow",
"Resource": "*"
}
]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
