Here’s a table format for the roles, detailing the role name, affected resources, and permitted actions:
Role Name | Resources Affected | Actions Permitted |
---|---|---|
EC2 Instance Manager | EC2 Instances | ec2:RunInstances , ec2:StopInstances , ec2:TerminateInstances , ec2:ModifyInstanceAttribute , ec2:DescribeInstances |
EC2 Read-Only Auditor | EC2 Instances | ec2:DescribeInstances , ec2:DescribeVolumes , ec2:DescribeSecurityGroups |
S3 Bucket Manager | S3 Buckets and Objects | s3:CreateBucket , s3:DeleteBucket , s3:PutObject , s3:GetObject , s3:DeleteObject , s3:PutBucketPolicy |
S3 Read-Only Auditor | S3 Buckets and Objects | s3:ListBucket , s3:GetObject , s3:GetBucketPolicy |
IAM User Manager | IAM Users, Groups, Roles | iam:CreateUser , iam:DeleteUser , iam:UpdateUser , iam:CreateGroup , iam:AttachUserPolicy , iam:CreateRole |
IAM Auditor | IAM Configurations | iam:GetUser , iam:GetGroup , iam:ListPolicies , iam:GetRole , iam:ListRolePolicies |
Audit Trail Reviewer | CloudTrail Logs | cloudtrail:LookupEvents , cloudtrail:DescribeTrails , s3:GetObject (for CloudTrail logs stored in S3) |
CloudWatch Alarm Manager | CloudWatch Alarms | cloudwatch:PutMetricAlarm , cloudwatch:DeleteAlarms , cloudwatch:DescribeAlarms , cloudwatch:SetAlarmState |
CloudWatch Logs Viewer | CloudWatch Logs | logs:DescribeLogGroups , logs:GetLogEvents , logs:DescribeLogStreams |
RDS Instance Manager | RDS Instances | rds:CreateDBInstance , rds:ModifyDBInstance , rds:DeleteDBInstance , rds:DescribeDBInstances |
RDS Read-Only Auditor | RDS Instances | rds:DescribeDBInstances , rds:DescribeDBClusters , rds:ListTagsForResource |
Lambda Developer | Lambda Functions | lambda:CreateFunction , lambda:UpdateFunctionCode , lambda:DeleteFunction , lambda:InvokeFunction |
Lambda Read-Only Auditor | Lambda Functions | lambda:GetFunction , lambda:ListFunctions , lambda:GetFunctionConfiguration |
Infrastructure Developer | CloudFormation Stacks | cloudformation:CreateStack , cloudformation:UpdateStack , cloudformation:DeleteStack , cloudformation:DescribeStacks |
CloudFormation Auditor | CloudFormation Stacks | cloudformation:DescribeStacks , cloudformation:GetTemplate , cloudformation:ListStackResources |
Security Auditor Role | Various AWS Services | cloudtrail:LookupEvents , cloudwatch:GetMetricData , s3:ListBucket , iam:ListUsers , iam:GetAccountSummary |
Administrator Role | All AWS Services | *:* (Full administrative access) |
Notes:
- Actions: Each role adheres to the principle of least privilege, allowing only the required actions for the tasks assigned.
- Auditor Roles: All auditor roles provide read-only permissions to prevent any changes to the resources while allowing monitoring and auditing.
- Administrator Role: Should be used sparingly and only when absolutely necessary due to its broad access.
Let me know if you’d like adjustments or more detailed definitions for any role!
Limited Role for AWS GovCloud Developer:
Capability | Actions | Resources |
---|---|---|
Read-Only EC2/VPC | ec2:Describe* , autoscaling:Describe* , elasticloadbalancing:Describe* , cloudwatch:DescribeAlarms ,cloudwatch:GetMetric* | * |
Read-Only RDS | rds:Describe* , rds:ListTagsForResource , rds:DownloadDBLogFilePortion , logs:DescribeLogStreams , logs:GetLogEvents | * |
S3 Upload/Download | s3:ListBucket s3:GetObject s3:PutObject | arn:aws-us-gov:s3:::YOUR_BUCKET_NAME …/* |
Lambda Deploy & Invoke | lambda:ListFunctions , GetFunction(Configuration) , CreateFunction , UpdateFunctionCode , UpdateFunctionConfiguration ,PublishVersion , InvokeFunction | * (recommend narrowing to specific ARNs) |
Lambda Execution Role Pass | iam:GetRole , iam:PassRole | arn:aws-us-gov:iam::ACCOUNT_ID:role/YOUR_LAMBDA_EXEC_ROLE |
SSM Session Manager | ssm:StartSession , ssm:TerminateSession , ssm:ResumeSession ,ssm:DescribeSessions , ssm:GetConnectionStatus ,ssm:DescribeInstanceInformation ,ssmmessages:OpenDataChannel , ssmmessages:OpenControlChannel | arn:aws-us-gov:ec2:REGION:ACCOUNT_ID:instance/* arn:aws-us-gov:ssm:REGION:ACCOUNT_ID:document/AWS-StartSession arn:aws-us-gov:ssm:*:*:session/${aws:userid}-* |