Restricted Elastic Beanstalk deployment policy: Part 1

February 6, 2018 - 2 minutes

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElasticBeanstalkEnvironmentPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:*"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:AWS_REGION:AWS_ACCOUNT:environment/APPLICATION_NAME/*"
            ]
        },
        {
            "Sid": "ElasticBeanstalkGlobalPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:ListAvailableSolutionStacks",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:CreateStorageLocation"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "ElasticBeanstalkApplicationVersionPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:*"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:AWS_REGION:AWS_ACCOUNT:applicationversion/APPLICATION_NAME/*"
            ]
        },
        {
            "Sid": "ElasticBeanstalkApplicationPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:*"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:AWS_REGION:AWS_ACCOUNT:application/APPLICATION_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:AWS_REGION:AWS_ACCOUNT:loadbalancer/*"
            ]
        },
        {
            "Sid": "ElasticLoadbalancing",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:Describe*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AutoscalingEnvironment",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/elasticbeanstalk:environment-name": [
                        "ENVIRONMENT_NAME"
                    ]
                }
            }
        },
        {
            "Sid": "AutoscalingGlobal",
            "Effect": "Allow",
            "Action": [
                "autoscaling:SuspendProcesses",
                "autoscaling:Describe*",
                "autoscaling:ResumeProcesses"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AutoscalingRegional",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": "arn:aws:autoscaling:AWS_REGION:AWS_ACCOUNT:*"
        },
        {
            "Sid": "Cloudformation",
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:Describe*",
                "cloudformation:CreateStack",
                "cloudformation:CancelUpdateStack",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT:*"
        },
        {
            "Sid": "SNS",
            "Effect": "Allow",
            "Action": [
                "sns:Get*",
                "sns:List*",
                "sns:Subscribe",
                "sns:CreateTopic"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAM",
            "Effect": "Allow",
            "Action": [
                "iam:ListServerCertificates",
                "iam:ListInstanceProfiles",
                "iam:ListRoles",
                "iam:PassRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchGlobal",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "CloudWatch",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy",
                "cloudwatch:PutMetricAlarm",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:AWS_REGION:AWS_ACCOUNT:log-group:/aws/elasticbeanstalk/ENVIRONMENT_NAME*"
            ]
        },
        {
            "Sid": "S3ElasticBeanstalkBucket",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTorrent",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTorrent",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-AWS_REGION-AWS_ACCOUNT",
                "arn:aws:s3:::elasticbeanstalk-AWS_REGION-AWS_ACCOUNT/*"
            ]
        },
        {
            "Sid": "S3Global",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "S3ElasticBeanstalkShared",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-*",
                "arn:aws:s3:::elasticbeanstalk-*/*"
            ]
        },
        {
            "Sid": "EC2Global",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}