brunch

You can make anything
by writing

C.S.Lewis

by Master Seo Sep 04. 2020

451. Role로 본  AWS 연계 서비스

1

AmazonSageMaker-ExecutionRole

AWS 서비스: sagemaker

AWS 머신러닝

s3권한, Cloudwatch , code commit , cognito-idp, ec2, fsx, glue,iam list role , kms, lambda list, log, robomaker , secretmanager , sns, ecr  연계됨

"iam:PassRole"


2

AmazonSSMRoleForAutomationAssumeQuickSetup

AWS 서비스: ssm

iam, ec2

"iam:PassRole",



3

AmazonSSMRoleForInstancesQuickSetup

AWS 서비스: ec2

ssm

ssmmessages

ec2message




4

AWS_Events_Invoke_Batch_Job_Queue

AWS 서비스: events

"batch:SubmitJob"



5

AWS_Events_Invoke_Event_Bus

AWS 서비스: events

"events:PutEvents"



6

AWS_InspectorEvents_Invoke_Assessment_Template

AWS 서비스: events

"inspector:StartAssessmentRun"



7

AWSBatchServiceRole

AWS 서비스: batch

"ec2:DescribeAccountAttributes",

"autoscaling:DescribeAccountLimits",

"ecs:DescribeClusters",

"logs:CreateLogGroup",

"iam:GetInstanceProfile",

"Action": "iam:PassRole",

"Action": "iam:CreateServiceLinkedRole",



8

AWSCloudFormationStackSetAdministrationRole

AWS 서비스: cloudformation

"Action": "sts:AssumeRole",

AWSCloudFormationStackSetExecutionRole

admin access

"Action": "*",



9

AWSServiceRoleForAccessAnalyzer

AWS 서비스: access-analyzer (서비스 연결 역할)

"ec2:DescribeAddresses",

"iam:GetRole",

"kms:DescribeKey",

"lambda:GetLayerVersionPolicy",

"organizations:DescribeAccount",

"s3:GetAccessPoint",

"sns:GetTopicAttributes",

"sqs:ListQueues"



10

AWSServiceRoleForAmazonEKS

AWS 서비스: eks (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"ec2:DeleteNetworkInterface",

"iam:ListAttachedRolePolicies",

"logs:DescribeLogStreams"



11

AWSServiceRoleForAmazonEKSNodegroup

AWS 서비스: eks-nodegroup (서비스 연결 역할)

"ec2:RevokeSecurityGroupIngress",

"autoscaling:UpdateAutoScalingGroup",

"Action": "iam:CreateServiceLinkedRole",

"autoscaling:CreateOrUpdateTags",

"eks:cluster-name",

"Action": "iam:PassRole",

"ec2:CreateLaunchTemplate",



12

AWSServiceRoleForAmazonElasticFileSystem

AWS 서비스: elasticfilesystem (서비스 연결 역할)

"backup-storage:MountCapsule",

"ec2:CreateNetworkInterface",

"kms:DescribeKey"

"iam:CreateServiceLinkedRole"


13

AWSServiceRoleForAmazonGuardDuty

AWS 서비스: guardduty (서비스 연결 역할)

"ec2:DescribeInstances",

"organizations:ListAccounts",

"s3:GetBucketPublicAccessBlock",




14

AWSServiceRoleForAmazonInspector

AWS 서비스: inspector (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeAvailabilityZones",

"elasticloadbalancing:DescribeLoadBalancerAttributes",



15

AWSServiceRoleForAmazonMacie

AWS 서비스: macie (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"iam:ListAccountAliases",

"organizations:DescribeAccount",

"s3:GetAccountPublicAccessBlock",

"cloudtrail:CreateTrail",



16

AWSServiceRoleForAmazonSSM

AWS 서비스: ssm (서비스 연결 역할)

"ssm:ListCommandInvocations",

"ec2:DescribeInstanceAttribute",

"lambda:InvokeFunction"

"resource-groups:ListGroups",

"cloudformation:DescribeStacks",

"tag:GetResources"

"config:SelectResourceConfig"

"support:DescribeTrustedAdvisorChecks",

"Action": "iam:PassRole",



17

AWSServiceRoleForApplicationAutoScaling_RDSCluster

AWS 서비스: rds.application-autoscaling (서비스 연결 역할)

"rds:AddTagsToResource",

"cloudwatch:PutMetricAlarm",

"iam:PassRole"



18

AWSServiceRoleForAutoScaling

AWS 서비스: autoscaling (서비스 연결 역할)

"ec2:AttachClassicLinkVpc",

"iam:PassRole"

"iam:CreateServiceLinkedRole"

"elasticloadbalancing:Register*",

"cloudwatch:DeleteAlarms",

"sns:Publish"



19

AWSServiceRoleForAWSCloud9

AWS 서비스: cloud9 (서비스 연결 역할)

"ec2:RunInstances",

"cloudformation:CreateStack",

"ssm:StartSession"

"iam:ListInstanceProfiles"

"iam:PassRole"



20

AWSServiceRoleForAWSLicenseManagerRole

AWS 서비스: license-manager (서비스 연결 역할)

"s3:GetBucketLocation",

"sns:Publish"

"ec2:DescribeInstances",

"ssm:ListInventoryEntries",

"organizations:ListAWSServiceAccessForOrganization",

"license-manager:GetServiceSettings",



21

AWSServiceRoleForBackup

AWS 서비스: backup (서비스 연결 역할)

"elasticfilesystem:Backup",

"tag:GetResources"



22

AWSServiceRoleForComputeOptimizer

AWS 서비스: compute-optimizer (서비스 연결 역할)

"compute-optimizer:*"

"organizations:DescribeOrganization",

"cloudwatch:GetMetricData"



23

AWSServiceRoleForConfig

AWS 서비스: config (서비스 연결 역할)

"acm:DescribeCertificate",

"application-autoscaling:DescribeScalableTargets",

"autoscaling:DescribeLifecycleHooks",

"backup:ListBackupPlans",

"cloudfront:ListTagsForResource",

"cloudformation:describeType",

"cloudtrail:GetEventSelectors",

"cloudwatch:DescribeAlarms",

"codepipeline:GetPipeline",

"config:BatchGet*",

"dax:DescribeClusters",

"dms:DescribeReplicationInstances",

"dynamodb:DescribeContinuousBackups",

"ec2:Describe*",

"eks:DescribeCluster",

"elasticache:DescribeCacheClusters",

"elasticfilesystem:DescribeFileSystems",

"elasticloadbalancing:DescribeListeners",

"elasticmapreduce:DescribeCluster",

"es:DescribeElasticsearchDomain",

"guardduty:GetDetector",

"iam:GenerateCredentialReport",

"kms:DescribeKey",

"lambda:GetAlias",

"logs:DescribeLogGroups",

"organizations:DescribeOrganization",

"rds:DescribeDBClusters",

"redshift:DescribeClusterParameterGroups",

"s3:GetAccelerateConfiguration",

"sagemaker:DescribeEndpointConfig",

"secretsmanager:ListSecrets",

"shield:DescribeDRTAccess",

"sns:GetTopicAttributes",

"sqs:GetQueueAttributes",

"ssm:DescribeDocument",

"storagegateway:ListGateways",

"support:DescribeCases",

"waf:GetLoggingConfiguration",

"config:PutConfigRule",

"iam:GetRole"

"Action": "iam:PassRole",

"cloudformation:CreateStack",


24

AWSServiceRoleForEC2Spot

AWS 서비스: spot (서비스 연결 역할)

"ec2:DescribeInstances",

"iam:PassRole"



25

AWSServiceRoleForECS

AWS 서비스: ecs (서비스 연결 역할)

"ec2:AttachNetworkInterface",

"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",

"route53:ChangeResourceRecordSets",

"servicediscovery:DeregisterInstance",

"autoscaling:Describe*"

"cloudwatch:DeleteAlarms",

"logs:CreateLogGroup",



26

AWSServiceRoleForElastiCache

AWS 서비스: elasticache (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"cloudwatch:PutMetricData",

"outposts:GetOutpost",



27

AWSServiceRoleForElasticLoadBalancing

AWS 서비스: elasticloadbalancing (서비스 연결 역할)

"ec2:DescribeAddresses",

"logs:CreateLogDelivery",



28

AWSServiceRoleForGlobalAccelerator

AWS 서비스: globalaccelerator (서비스 연결 역할)

"ec2:CreateNetworkInterface",



29

AWSServiceRoleForImageBuilder

AWS 서비스: imagebuilder (서비스 연결 역할)

"ec2:RunInstances"

"ssm:ListCommands",

"kms:Encrypt",

"Action": "sts:AssumeRole",



30

AWSServiceRoleForMigrationHub

AWS 서비스: migrationhub (서비스 연결 역할)

"discovery:ListConfigurations",

"ec2:DescribeInstanceAttribute"



31

AWSServiceRoleForNetworkManager

AWS 서비스: networkmanager (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeCustomerGateways",



32

AWSServiceRoleForOrganizations

AWS 서비스: organizations (서비스 연결 역할)

"iam:DeleteRole"

"iam:CreateServiceLinkedRole"



33

AWSServiceRoleForRDS

AWS 서비스: rds (서비스 연결 역할)

"ec2:AuthorizeSecurityGroupIngress",

"sns:Publish"

"logs:CreateLogGroup"

"kinesis:CreateStream",

"cloudwatch:PutMetricData"



34

AWSServiceRoleForSecurityHub

AWS 서비스: securityhub (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"logs:DescribeMetricFilters",

"sns:ListSubscriptionsByTopic",

"config:DescribeConfigurationRecorders",

"iam:GenerateCredentialReport",



35

AWSServiceRoleForSupport

AWS 서비스: support (서비스 연결 역할)

"apigateway:GET"

"iam:DeleteRole"

"a4b:getDevice",

"access-analyzer:getFinding",

"acm-pca:getCertificate",

"amplify:getApp",

"application-autoscaling:describeScalableTargets",

:

"workspaces:describeWorkspacesConnectionStatus"



36

AWSServiceRoleForTrustedAdvisor

AWS 서비스: trustedadvisor (서비스 연결 역할)

"autoscaling:DescribeAccountLimits",

"cloudformation:DescribeAccountLimits",

"dynamodb:DescribeLimits",

"ec2:DescribeAddresses",

"iam:GenerateCredentialReport",

"kinesis:DescribeLimits",

"rds:DescribeAccountAttributes",

"redshift:DescribeClusters",

"route53:GetHealthCheck",

"s3:GetBucketAcl",

"ses:GetSendQuota",

"sqs:ListQueues",

"cloudwatch:GetMetricStatistics",

"ce:GetReservationPurchaseRecommendation",



37

AWSServiceRoleForVPCTransitGateway

AWS 서비스: transitgateway (서비스 연결 역할)

"ec2:CreateNetworkInterface",




38

ecsInstanceRole

AWS 서비스: ec2

"ec2:DescribeTags",

"ecs:CreateCluster",

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",



39

ecsTaskExecutionRole

AWS 서비스: ecs-tasks

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",



40

eks-manage.role

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"logs:CreateLogStream",



41

eksClusterRole

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AuthorizeSecurityGroupIngress",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"Action": "iam:CreateServiceLinkedRole",



42

eksServiceRole

AWS 서비스: eks

AmazonEKSClusterPolicy

AmazonEKSWorkerNodePolicy

AmazonEKSServicePolicy

AmazonEKS_CNI_Policy

AmazonEKSFargatePodExecutionRolePolicy

AmazonEKSClusterPolicy

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"




43

AmazonEKSServicePolicy

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"Action": "route53:AssociateVPCWithHostedZone",

"logs:CreateLogStream",

"Action": "iam:CreateServiceLinkedRole",



44

AmazonEKS_CNI_Policy

"ec2:AssignPrivateIpAddresses",



45

AmazonEKSFargatePodExecutionRolePolicy

"ecr:GetAuthorizationToken",



46

Elastic_Transcoder_Default_Role

AWS 서비스: elastictranscoder

"s3:Put*",

"Action": "sns:Publish",



47

FirehosetoS3Role

AWS 서비스: firehose

"s3:AbortMultipartUpload",



48

flowlogsRole

AWS 서비스: vpc-flow-logs

"logs:CreateLogGroup",

VPC Flow-log가 cloudwatch log 에 저장된다.

cloudwatch log 를 미리 만들어야 한다.


감사합니다.


브런치는 최신 브라우저에 최적화 되어있습니다. IE chrome safari