Metadata Agentのリソース構築に必要な最小権限のIAM Policyについて
IAM Policy
Metadata Agent構築を行うIAMユーザーやIAMロールに対して、最小権限を付与されたい場合は、以下のIAM Policyをご参照下さい。(更新日:2023年11月22日)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:Describe*",
"batch:List*",
"cloudformation:ListStacks",
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplateSummary",
"ec2:Describe*",
"sns:ListTopics",
"ssm:DescribeParameters",
"logs:DescribeLogGroups",
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:policy/quollio-*",
"arn:aws:iam::*:instance-profile/quollio-*",
"arn:aws:iam::*:role/quollio-*"
]
},
{
"Effect": "Allow",
"Action": "batch:*",
"Resource": [
"arn:aws:batch:*:*:compute-environment/quollio-*",
"arn:aws:batch:*:*:job-definition/quollio-*",
"arn:aws:batch:*:*:job-queue/quollio-*"
]
},
{
"Effect": "Allow",
"Action": "logs:*",
"Resource": "arn:aws:logs:*:*:log-group:quollio-*:*"
},
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:*:*:parameter/quollio*"
},
{
"Effect": "Allow",
"Action": "events:*",
"Resource": "arn:aws:events:*:*:rule/quollio-*"
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "arn:aws:cloudformation:*:*:stack/quollio-*/*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:*:*:*"
]
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::quollio-*",
"arn:aws:s3:::quollio-*/*",
"arn:aws:s3:::cf-templates*",
"arn:aws:s3:::cf-templates*/*"
]
}
]
}