brunch

매거진 AWS 전문가 되기

라이킷 댓글

You can make anything
by writing

C.S.Lewis

계정을 잊어버리셨나요?

by Master Seo Sep 04. 2020

451. Role로 본 AWS 연계 서비스

AmazonSageMaker-ExecutionRole

AWS 서비스: sagemaker

AWS 머신러닝

s3권한, Cloudwatch , code commit , cognito-idp, ec2, fsx, glue,iam list role , kms, lambda list, log, robomaker , secretmanager , sns, ecr 연계됨

"iam:PassRole"

AmazonSSMRoleForAutomationAssumeQuickSetup

AWS 서비스: ssm

iam, ec2

"iam:PassRole",

AmazonSSMRoleForInstancesQuickSetup

AWS 서비스: ec2

ssm

ssmmessages

ec2message

AWS_Events_Invoke_Batch_Job_Queue

AWS 서비스: events

"batch:SubmitJob"

AWS_Events_Invoke_Event_Bus

AWS 서비스: events

"events:PutEvents"

AWS_InspectorEvents_Invoke_Assessment_Template

AWS 서비스: events

"inspector:StartAssessmentRun"

AWSBatchServiceRole

AWS 서비스: batch

"ec2:DescribeAccountAttributes",

"autoscaling:DescribeAccountLimits",

"ecs:DescribeClusters",

"logs:CreateLogGroup",

"iam:GetInstanceProfile",

"Action": "iam:PassRole",

"Action": "iam:CreateServiceLinkedRole",

AWSCloudFormationStackSetAdministrationRole

AWS 서비스: cloudformation

"Action": "sts:AssumeRole",

AWSCloudFormationStackSetExecutionRole

admin access

"Action": "*",

AWSServiceRoleForAccessAnalyzer

AWS 서비스: access-analyzer (서비스 연결 역할)

"ec2:DescribeAddresses",

"iam:GetRole",

"kms:DescribeKey",

"lambda:GetLayerVersionPolicy",

"organizations:DescribeAccount",

"s3:GetAccessPoint",

"sns:GetTopicAttributes",

"sqs:ListQueues"

AWSServiceRoleForAmazonEKS

AWS 서비스: eks (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"ec2:DeleteNetworkInterface",

"iam:ListAttachedRolePolicies",

"logs:DescribeLogStreams"

AWSServiceRoleForAmazonEKSNodegroup

AWS 서비스: eks-nodegroup (서비스 연결 역할)

"ec2:RevokeSecurityGroupIngress",

"autoscaling:UpdateAutoScalingGroup",

"Action": "iam:CreateServiceLinkedRole",

"autoscaling:CreateOrUpdateTags",

"eks:cluster-name",

"Action": "iam:PassRole",

"ec2:CreateLaunchTemplate",

AWSServiceRoleForAmazonElasticFileSystem

AWS 서비스: elasticfilesystem (서비스 연결 역할)

"backup-storage:MountCapsule",

"ec2:CreateNetworkInterface",

"kms:DescribeKey"

"iam:CreateServiceLinkedRole"

AWSServiceRoleForAmazonGuardDuty

AWS 서비스: guardduty (서비스 연결 역할)

"ec2:DescribeInstances",

"organizations:ListAccounts",

"s3:GetBucketPublicAccessBlock",

AWSServiceRoleForAmazonInspector

AWS 서비스: inspector (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeAvailabilityZones",

"elasticloadbalancing:DescribeLoadBalancerAttributes",

AWSServiceRoleForAmazonMacie

AWS 서비스: macie (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"iam:ListAccountAliases",

"organizations:DescribeAccount",

"s3:GetAccountPublicAccessBlock",

"cloudtrail:CreateTrail",

AWSServiceRoleForAmazonSSM

AWS 서비스: ssm (서비스 연결 역할)

"ssm:ListCommandInvocations",

"ec2:DescribeInstanceAttribute",

"lambda:InvokeFunction"

"resource-groups:ListGroups",

"cloudformation:DescribeStacks",

"tag:GetResources"

"config:SelectResourceConfig"

"support:DescribeTrustedAdvisorChecks",

"Action": "iam:PassRole",

AWSServiceRoleForApplicationAutoScaling_RDSCluster

AWS 서비스: rds.application-autoscaling (서비스 연결 역할)

"rds:AddTagsToResource",

"cloudwatch:PutMetricAlarm",

"iam:PassRole"

AWSServiceRoleForAutoScaling

AWS 서비스: autoscaling (서비스 연결 역할)

"ec2:AttachClassicLinkVpc",

"iam:PassRole"

"iam:CreateServiceLinkedRole"

"elasticloadbalancing:Register*",

"cloudwatch:DeleteAlarms",

"sns:Publish"

AWSServiceRoleForAWSCloud9

AWS 서비스: cloud9 (서비스 연결 역할)

"ec2:RunInstances",

"cloudformation:CreateStack",

"ssm:StartSession"

"iam:ListInstanceProfiles"

"iam:PassRole"

AWSServiceRoleForAWSLicenseManagerRole

AWS 서비스: license-manager (서비스 연결 역할)

"s3:GetBucketLocation",

"sns:Publish"

"ec2:DescribeInstances",

"ssm:ListInventoryEntries",

"organizations:ListAWSServiceAccessForOrganization",

"license-manager:GetServiceSettings",

AWSServiceRoleForBackup

AWS 서비스: backup (서비스 연결 역할)

"elasticfilesystem:Backup",

"tag:GetResources"

AWSServiceRoleForComputeOptimizer

AWS 서비스: compute-optimizer (서비스 연결 역할)

"compute-optimizer:*"

"organizations:DescribeOrganization",

"cloudwatch:GetMetricData"

AWSServiceRoleForConfig

AWS 서비스: config (서비스 연결 역할)

"acm:DescribeCertificate",

"application-autoscaling:DescribeScalableTargets",

"autoscaling:DescribeLifecycleHooks",

"backup:ListBackupPlans",

"cloudfront:ListTagsForResource",

"cloudformation:describeType",

"cloudtrail:GetEventSelectors",

"cloudwatch:DescribeAlarms",

"codepipeline:GetPipeline",

"config:BatchGet*",

"dax:DescribeClusters",

"dms:DescribeReplicationInstances",

"dynamodb:DescribeContinuousBackups",

"ec2:Describe*",

"eks:DescribeCluster",

"elasticache:DescribeCacheClusters",

"elasticfilesystem:DescribeFileSystems",

"elasticloadbalancing:DescribeListeners",

"elasticmapreduce:DescribeCluster",

"es:DescribeElasticsearchDomain",

"guardduty:GetDetector",

"iam:GenerateCredentialReport",

"kms:DescribeKey",

"lambda:GetAlias",

"logs:DescribeLogGroups",

"organizations:DescribeOrganization",

"rds:DescribeDBClusters",

"redshift:DescribeClusterParameterGroups",

"s3:GetAccelerateConfiguration",

"sagemaker:DescribeEndpointConfig",

"secretsmanager:ListSecrets",

"shield:DescribeDRTAccess",

"sns:GetTopicAttributes",

"sqs:GetQueueAttributes",

"ssm:DescribeDocument",

"storagegateway:ListGateways",

"support:DescribeCases",

"waf:GetLoggingConfiguration",

"config:PutConfigRule",

"iam:GetRole"

"Action": "iam:PassRole",

"cloudformation:CreateStack",

AWSServiceRoleForEC2Spot

AWS 서비스: spot (서비스 연결 역할)

"ec2:DescribeInstances",

"iam:PassRole"

AWSServiceRoleForECS

AWS 서비스: ecs (서비스 연결 역할)

"ec2:AttachNetworkInterface",

"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",

"route53:ChangeResourceRecordSets",

"servicediscovery:DeregisterInstance",

"autoscaling:Describe*"

"cloudwatch:DeleteAlarms",

"logs:CreateLogGroup",

AWSServiceRoleForElastiCache

AWS 서비스: elasticache (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"cloudwatch:PutMetricData",

"outposts:GetOutpost",

AWSServiceRoleForElasticLoadBalancing

AWS 서비스: elasticloadbalancing (서비스 연결 역할)

"ec2:DescribeAddresses",

"logs:CreateLogDelivery",

AWSServiceRoleForGlobalAccelerator

AWS 서비스: globalaccelerator (서비스 연결 역할)

"ec2:CreateNetworkInterface",

AWSServiceRoleForImageBuilder

AWS 서비스: imagebuilder (서비스 연결 역할)

"ec2:RunInstances"

"ssm:ListCommands",

"kms:Encrypt",

"Action": "sts:AssumeRole",

AWSServiceRoleForMigrationHub

AWS 서비스: migrationhub (서비스 연결 역할)

"discovery:ListConfigurations",

"ec2:DescribeInstanceAttribute"

AWSServiceRoleForNetworkManager

AWS 서비스: networkmanager (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeCustomerGateways",

AWSServiceRoleForOrganizations

AWS 서비스: organizations (서비스 연결 역할)

"iam:DeleteRole"

"iam:CreateServiceLinkedRole"

AWSServiceRoleForRDS

AWS 서비스: rds (서비스 연결 역할)

"ec2:AuthorizeSecurityGroupIngress",

"sns:Publish"

"logs:CreateLogGroup"

"kinesis:CreateStream",

"cloudwatch:PutMetricData"

AWSServiceRoleForSecurityHub

AWS 서비스: securityhub (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"logs:DescribeMetricFilters",

"sns:ListSubscriptionsByTopic",

"config:DescribeConfigurationRecorders",

"iam:GenerateCredentialReport",

AWSServiceRoleForSupport

AWS 서비스: support (서비스 연결 역할)

"apigateway:GET"

"iam:DeleteRole"

"a4b:getDevice",

"access-analyzer:getFinding",

"acm-pca:getCertificate",

"amplify:getApp",

"application-autoscaling:describeScalableTargets",

"workspaces:describeWorkspacesConnectionStatus"

AWSServiceRoleForTrustedAdvisor

AWS 서비스: trustedadvisor (서비스 연결 역할)

"autoscaling:DescribeAccountLimits",

"cloudformation:DescribeAccountLimits",

"dynamodb:DescribeLimits",

"ec2:DescribeAddresses",

"iam:GenerateCredentialReport",

"kinesis:DescribeLimits",

"rds:DescribeAccountAttributes",

"redshift:DescribeClusters",

"route53:GetHealthCheck",

"s3:GetBucketAcl",

"ses:GetSendQuota",

"sqs:ListQueues",

"cloudwatch:GetMetricStatistics",

"ce:GetReservationPurchaseRecommendation",

AWSServiceRoleForVPCTransitGateway

AWS 서비스: transitgateway (서비스 연결 역할)

"ec2:CreateNetworkInterface",

ecsInstanceRole

AWS 서비스: ec2

"ec2:DescribeTags",

"ecs:CreateCluster",

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",

ecsTaskExecutionRole

AWS 서비스: ecs-tasks

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",

eks-manage.role

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"logs:CreateLogStream",

eksClusterRole

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AuthorizeSecurityGroupIngress",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"Action": "iam:CreateServiceLinkedRole",

eksServiceRole

AWS 서비스: eks

AmazonEKSClusterPolicy

AmazonEKSWorkerNodePolicy

AmazonEKSServicePolicy

AmazonEKS_CNI_Policy

AmazonEKSFargatePodExecutionRolePolicy

AmazonEKSClusterPolicy

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

AmazonEKSServicePolicy

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"Action": "route53:AssociateVPCWithHostedZone",

"logs:CreateLogStream",

"Action": "iam:CreateServiceLinkedRole",

AmazonEKS_CNI_Policy

"ec2:AssignPrivateIpAddresses",

AmazonEKSFargatePodExecutionRolePolicy

"ecr:GetAuthorizationToken",

Elastic_Transcoder_Default_Role

AWS 서비스: elastictranscoder

"s3:Put*",

"Action": "sns:Publish",

FirehosetoS3Role

AWS 서비스: firehose

"s3:AbortMultipartUpload",

flowlogsRole

AWS 서비스: vpc-flow-logs

"logs:CreateLogGroup",

VPC Flow-log가 cloudwatch log 에 저장된다.

cloudwatch log 를 미리 만들어야 한다.

감사합니다.

Master Seo 소속 클라우드전문가카페 직업 엔지니어

(전) 네이버 엔지니어 7년 , 네이버 클라우드 마스터, PRO , AWS 아키프로, Google프로아키, Azure어드민, CCNP, 맛집,여행 전문가, 좋은 기운을 주는사람

구독자 2,469

매거진의 이전글 450. Role 필요한 서비스 452. it.serverchk.com 웹사이트 이중화 매거진의 다음글

작품 선택

키워드 선택 0 / 3 0

댓글여부

댓글 쓰기 허용 afliean

브런치는 최신 브라우저에 최적화 되어있습니다. IE chrome safari