AWS permissions intended for a group containing users that will monitor the environment, but should not have access to data and are not allowed to make any changes. Should allow members to check the health of services or run periodic reviews. Basically a modified version of Amazon’s Read-Only policy template. In order to cut access to potentially dangerous information, some access was removed:
- DynamoDB and Kinesis:Get* because those would reveal data
ElasticBeanstalk and Opsworks because the information there is potentially dangerous
S3 objects, but it does give permissions to access S3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RemovedAccessToDynamoDBElasticBeanstalkKinesisGetOpsworksS3Objects",
"Action": [
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"elasticbeanstalk:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"glacier:ListVaults",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:List*",
"route53:Get*",
"route53:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:ListAllMyBuckets",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:List*",
"storagegateway:Describe*",
"trustedadvisor:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}