| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251 |
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "iam:CreateServiceLinkedRole"
- ],
- "Resource": "*",
- "Condition": {
- "StringEquals": {
- "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:DescribeAccountAttributes",
- "ec2:DescribeAddresses",
- "ec2:DescribeAvailabilityZones",
- "ec2:DescribeInternetGateways",
- "ec2:DescribeVpcs",
- "ec2:DescribeVpcPeeringConnections",
- "ec2:DescribeSubnets",
- "ec2:DescribeSecurityGroups",
- "ec2:DescribeInstances",
- "ec2:DescribeNetworkInterfaces",
- "ec2:DescribeTags",
- "ec2:GetCoipPoolUsage",
- "ec2:DescribeCoipPools",
- "ec2:GetSecurityGroupsForVpc",
- "ec2:DescribeIpamPools",
- "ec2:DescribeRouteTables",
- "elasticloadbalancing:DescribeLoadBalancers",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "elasticloadbalancing:DescribeListeners",
- "elasticloadbalancing:DescribeListenerCertificates",
- "elasticloadbalancing:DescribeSSLPolicies",
- "elasticloadbalancing:DescribeRules",
- "elasticloadbalancing:DescribeTargetGroups",
- "elasticloadbalancing:DescribeTargetGroupAttributes",
- "elasticloadbalancing:DescribeTargetHealth",
- "elasticloadbalancing:DescribeTags",
- "elasticloadbalancing:DescribeTrustStores",
- "elasticloadbalancing:DescribeListenerAttributes",
- "elasticloadbalancing:DescribeCapacityReservation"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "cognito-idp:DescribeUserPoolClient",
- "acm:ListCertificates",
- "acm:DescribeCertificate",
- "iam:ListServerCertificates",
- "iam:GetServerCertificate",
- "waf-regional:GetWebACL",
- "waf-regional:GetWebACLForResource",
- "waf-regional:AssociateWebACL",
- "waf-regional:DisassociateWebACL",
- "wafv2:GetWebACL",
- "wafv2:GetWebACLForResource",
- "wafv2:AssociateWebACL",
- "wafv2:DisassociateWebACL",
- "shield:GetSubscriptionState",
- "shield:DescribeProtection",
- "shield:CreateProtection",
- "shield:DeleteProtection"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:AuthorizeSecurityGroupIngress",
- "ec2:RevokeSecurityGroupIngress"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:CreateSecurityGroup"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:CreateTags"
- ],
- "Resource": "arn:aws:ec2:*:*:security-group/*",
- "Condition": {
- "StringEquals": {
- "ec2:CreateAction": "CreateSecurityGroup"
- },
- "Null": {
- "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:CreateTags",
- "ec2:DeleteTags"
- ],
- "Resource": "arn:aws:ec2:*:*:security-group/*",
- "Condition": {
- "Null": {
- "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
- "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:AuthorizeSecurityGroupIngress",
- "ec2:RevokeSecurityGroupIngress",
- "ec2:DeleteSecurityGroup"
- ],
- "Resource": "*",
- "Condition": {
- "Null": {
- "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:CreateLoadBalancer",
- "elasticloadbalancing:CreateTargetGroup"
- ],
- "Resource": "*",
- "Condition": {
- "Null": {
- "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:CreateListener",
- "elasticloadbalancing:DeleteListener",
- "elasticloadbalancing:CreateRule",
- "elasticloadbalancing:DeleteRule"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:AddTags",
- "elasticloadbalancing:RemoveTags"
- ],
- "Resource": [
- "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
- "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
- "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
- ],
- "Condition": {
- "Null": {
- "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
- "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:AddTags",
- "elasticloadbalancing:RemoveTags"
- ],
- "Resource": [
- "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
- "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
- "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
- "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
- ]
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:ModifyLoadBalancerAttributes",
- "elasticloadbalancing:SetIpAddressType",
- "elasticloadbalancing:SetSecurityGroups",
- "elasticloadbalancing:SetSubnets",
- "elasticloadbalancing:DeleteLoadBalancer",
- "elasticloadbalancing:ModifyTargetGroup",
- "elasticloadbalancing:ModifyTargetGroupAttributes",
- "elasticloadbalancing:DeleteTargetGroup",
- "elasticloadbalancing:ModifyListenerAttributes",
- "elasticloadbalancing:ModifyCapacityReservation",
- "elasticloadbalancing:ModifyIpPools"
- ],
- "Resource": "*",
- "Condition": {
- "Null": {
- "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:AddTags"
- ],
- "Resource": [
- "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
- "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
- "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
- ],
- "Condition": {
- "StringEquals": {
- "elasticloadbalancing:CreateAction": [
- "CreateTargetGroup",
- "CreateLoadBalancer"
- ]
- },
- "Null": {
- "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
- }
- }
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:RegisterTargets",
- "elasticloadbalancing:DeregisterTargets"
- ],
- "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:SetWebAcl",
- "elasticloadbalancing:ModifyListener",
- "elasticloadbalancing:AddListenerCertificates",
- "elasticloadbalancing:RemoveListenerCertificates",
- "elasticloadbalancing:ModifyRule",
- "elasticloadbalancing:SetRulePriorities"
- ],
- "Resource": "*"
- }
- ]
- }
|
