data "aws_iam_policy_document" "annie_minimal_access" {
statement {
sid = "AllowComputeResources"
effect = "Allow"
actions = [
"ec2:Describe*",
"eks:Describe*",
"eks:List*",
"ecs:Describe*",
"ecs:List*",
"lambda:List*",
"lambda:Get*",
"autoscaling:Describe*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"lightsail:Get*",
"lightsail:List*",
"batch:Describe*",
"batch:List*"
]
resources = ["*"]
}
statement {
sid = "AllowStorageResources"
effect = "Allow"
actions = [
"s3:List*",
"s3:Get*",
"rds:Describe*",
"rds:List*",
"dynamodb:Describe*",
"dynamodb:List*",
"elasticache:Describe*",
"elasticache:List*",
"efs:Describe*",
"fsx:Describe*",
"fsx:List*",
"backup:Describe*",
"backup:List*"
]
resources = ["*"]
}
statement {
sid = "AllowNetworkResources"
effect = "Allow"
actions = [
"vpc:Describe*",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"elasticloadbalancing:Describe*",
"route53:List*",
"route53:Get*",
"cloudfront:List*",
"cloudfront:Get*",
"globalaccelerator:List*",
"globalaccelerator:Describe*"
]
resources = ["*"]
}
statement {
sid = "AllowIdentityResources"
effect = "Allow"
actions = [
"iam:List*",
"iam:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowMonitoringResources"
effect = "Allow"
actions = [
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"logs:Describe*",
"logs:List*",
"health:Describe*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowApplicationResources"
effect = "Allow"
actions = [
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*",
"mq:List*",
"mq:Describe*",
"apigateway:GET",
"apigateway:HEAD",
"appsync:List*",
"appsync:Get*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"kafka:List*",
"kafka:Describe*",
"kinesis:List*",
"kinesis:Describe*"
]
resources = ["*"]
}
}