Here’s a table format for the roles, detailing the role name, affected resources, and permitted actions:

Role NameResources AffectedActions Permitted
EC2 Instance ManagerEC2 Instancesec2:RunInstances, ec2:StopInstances, ec2:TerminateInstances, ec2:ModifyInstanceAttribute, ec2:DescribeInstances
EC2 Read-Only AuditorEC2 Instancesec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSecurityGroups
S3 Bucket ManagerS3 Buckets and Objectss3:CreateBucket, s3:DeleteBucket, s3:PutObject, s3:GetObject, s3:DeleteObject, s3:PutBucketPolicy
S3 Read-Only AuditorS3 Buckets and Objectss3:ListBucket, s3:GetObject, s3:GetBucketPolicy
IAM User ManagerIAM Users, Groups, Rolesiam:CreateUser, iam:DeleteUser, iam:UpdateUser, iam:CreateGroup, iam:AttachUserPolicy, iam:CreateRole
IAM AuditorIAM Configurationsiam:GetUser, iam:GetGroup, iam:ListPolicies, iam:GetRole, iam:ListRolePolicies
Audit Trail ReviewerCloudTrail Logscloudtrail:LookupEvents, cloudtrail:DescribeTrails, s3:GetObject (for CloudTrail logs stored in S3)
CloudWatch Alarm ManagerCloudWatch Alarmscloudwatch:PutMetricAlarm, cloudwatch:DeleteAlarms, cloudwatch:DescribeAlarms, cloudwatch:SetAlarmState
CloudWatch Logs ViewerCloudWatch Logslogs:DescribeLogGroups, logs:GetLogEvents, logs:DescribeLogStreams
RDS Instance ManagerRDS Instancesrds:CreateDBInstance, rds:ModifyDBInstance, rds:DeleteDBInstance, rds:DescribeDBInstances
RDS Read-Only AuditorRDS Instancesrds:DescribeDBInstances, rds:DescribeDBClusters, rds:ListTagsForResource
Lambda DeveloperLambda Functionslambda:CreateFunction, lambda:UpdateFunctionCode, lambda:DeleteFunction, lambda:InvokeFunction
Lambda Read-Only AuditorLambda Functionslambda:GetFunction, lambda:ListFunctions, lambda:GetFunctionConfiguration
Infrastructure DeveloperCloudFormation Stackscloudformation:CreateStack, cloudformation:UpdateStack, cloudformation:DeleteStack, cloudformation:DescribeStacks
CloudFormation AuditorCloudFormation Stackscloudformation:DescribeStacks, cloudformation:GetTemplate, cloudformation:ListStackResources
Security Auditor RoleVarious AWS Servicescloudtrail:LookupEvents, cloudwatch:GetMetricData, s3:ListBucket, iam:ListUsers, iam:GetAccountSummary
Administrator RoleAll AWS Services*:* (Full administrative access)

Notes:

  • Actions: Each role adheres to the principle of least privilege, allowing only the required actions for the tasks assigned.
  • Auditor Roles: All auditor roles provide read-only permissions to prevent any changes to the resources while allowing monitoring and auditing.
  • Administrator Role: Should be used sparingly and only when absolutely necessary due to its broad access.

Let me know if you’d like adjustments or more detailed definitions for any role!

Limited Role for AWS GovCloud Developer:

CapabilityActionsResources
Read-Only EC2/VPCec2:Describe*, autoscaling:Describe*, elasticloadbalancing:Describe*, cloudwatch:DescribeAlarms,cloudwatch:GetMetric**
Read-Only RDSrds:Describe*, rds:ListTagsForResource, rds:DownloadDBLogFilePortion, logs:DescribeLogStreams, logs:GetLogEvents*
S3 Upload/Downloads3:ListBuckets3:GetObjects3:PutObjectarn:aws-us-gov:s3:::YOUR_BUCKET_NAME…/*
Lambda Deploy & Invokelambda:ListFunctions, GetFunction(Configuration), CreateFunction, UpdateFunctionCode, UpdateFunctionConfiguration,PublishVersion, InvokeFunction* (recommend narrowing to specific ARNs)
Lambda Execution Role Passiam:GetRole, iam:PassRolearn:aws-us-gov:iam::ACCOUNT_ID:role/YOUR_LAMBDA_EXEC_ROLE
SSM Session Managerssm:StartSession, ssm:TerminateSession, ssm:ResumeSession,ssm:DescribeSessions, ssm:GetConnectionStatus,ssm:DescribeInstanceInformation,ssmmessages:OpenDataChannel, ssmmessages:OpenControlChannelarn:aws-us-gov:ec2:REGION:ACCOUNT_ID:instance/*arn:aws-us-gov:ssm:REGION:ACCOUNT_ID:document/AWS-StartSessionarn:aws-us-gov:ssm:*:*:session/${aws:userid}-*
Facebook
Twitter
LinkedIn
Book a call