brunch

매거진 AWS 전문가 되기

라이킷 댓글

You can make anything
by writing

C.S.Lewis

계정을 잊어버리셨나요?

by Master Seo Sep 04. 2020

451. Role로 본 AWS 연계 서비스

AmazonSageMaker-ExecutionRole

AWS 서비스: sagemaker

AWS 머신러닝

s3권한, Cloudwatch , code commit , cognito-idp, ec2, fsx, glue,iam list role , kms, lambda list, log, robomaker , secretmanager , sns, ecr 연계됨

"iam:PassRole"

AmazonSSMRoleForAutomationAssumeQuickSetup

AWS 서비스: ssm

iam, ec2

"iam:PassRole",

AmazonSSMRoleForInstancesQuickSetup

AWS 서비스: ec2

ssm

ssmmessages

ec2message

AWS_Events_Invoke_Batch_Job_Queue

AWS 서비스: events

"batch:SubmitJob"

AWS_Events_Invoke_Event_Bus

AWS 서비스: events

"events:PutEvents"

AWS_InspectorEvents_Invoke_Assessment_Template

AWS 서비스: events

"inspector:StartAssessmentRun"

AWSBatchServiceRole

AWS 서비스: batch

"ec2:DescribeAccountAttributes",

"autoscaling:DescribeAccountLimits",

"ecs:DescribeClusters",

"logs:CreateLogGroup",

"iam:GetInstanceProfile",

"Action": "iam:PassRole",

"Action": "iam:CreateServiceLinkedRole",

AWSCloudFormationStackSetAdministrationRole

AWS 서비스: cloudformation

"Action": "sts:AssumeRole",

AWSCloudFormationStackSetExecutionRole

admin access

"Action": "*",

AWSServiceRoleForAccessAnalyzer

AWS 서비스: access-analyzer (서비스 연결 역할)

"ec2:DescribeAddresses",

"iam:GetRole",

"kms:DescribeKey",

"lambda:GetLayerVersionPolicy",

"organizations:DescribeAccount",

"s3:GetAccessPoint",

"sns:GetTopicAttributes",

"sqs:ListQueues"

AWSServiceRoleForAmazonEKS

AWS 서비스: eks (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"ec2:DeleteNetworkInterface",

"iam:ListAttachedRolePolicies",

"logs:DescribeLogStreams"

AWSServiceRoleForAmazonEKSNodegroup

AWS 서비스: eks-nodegroup (서비스 연결 역할)

"ec2:RevokeSecurityGroupIngress",

"autoscaling:UpdateAutoScalingGroup",

"Action": "iam:CreateServiceLinkedRole",

"autoscaling:CreateOrUpdateTags",

"eks:cluster-name",

"Action": "iam:PassRole",

"ec2:CreateLaunchTemplate",

AWSServiceRoleForAmazonElasticFileSystem

AWS 서비스: elasticfilesystem (서비스 연결 역할)

"backup-storage:MountCapsule",

"ec2:CreateNetworkInterface",

"kms:DescribeKey"

"iam:CreateServiceLinkedRole"

AWSServiceRoleForAmazonGuardDuty

AWS 서비스: guardduty (서비스 연결 역할)

"ec2:DescribeInstances",

"organizations:ListAccounts",

"s3:GetBucketPublicAccessBlock",

AWSServiceRoleForAmazonInspector

AWS 서비스: inspector (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeAvailabilityZones",

"elasticloadbalancing:DescribeLoadBalancerAttributes",

AWSServiceRoleForAmazonMacie

AWS 서비스: macie (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"iam:ListAccountAliases",

"organizations:DescribeAccount",

"s3:GetAccountPublicAccessBlock",

"cloudtrail:CreateTrail",

AWSServiceRoleForAmazonSSM

AWS 서비스: ssm (서비스 연결 역할)

"ssm:ListCommandInvocations",

"ec2:DescribeInstanceAttribute",

"lambda:InvokeFunction"

"resource-groups:ListGroups",

"cloudformation:DescribeStacks",

"tag:GetResources"

"config:SelectResourceConfig"

"support:DescribeTrustedAdvisorChecks",

"Action": "iam:PassRole",

AWSServiceRoleForApplicationAutoScaling_RDSCluster

AWS 서비스: rds.application-autoscaling (서비스 연결 역할)

"rds:AddTagsToResource",

"cloudwatch:PutMetricAlarm",

"iam:PassRole"

AWSServiceRoleForAutoScaling

AWS 서비스: autoscaling (서비스 연결 역할)

"ec2:AttachClassicLinkVpc",

"iam:PassRole"

"iam:CreateServiceLinkedRole"

"elasticloadbalancing:Register*",

"cloudwatch:DeleteAlarms",

"sns:Publish"

AWSServiceRoleForAWSCloud9

AWS 서비스: cloud9 (서비스 연결 역할)

"ec2:RunInstances",

"cloudformation:CreateStack",

"ssm:StartSession"

"iam:ListInstanceProfiles"

"iam:PassRole"

AWSServiceRoleForAWSLicenseManagerRole

AWS 서비스: license-manager (서비스 연결 역할)

"s3:GetBucketLocation",

"sns:Publish"

"ec2:DescribeInstances",

"ssm:ListInventoryEntries",

"organizations:ListAWSServiceAccessForOrganization",

"license-manager:GetServiceSettings",

AWSServiceRoleForBackup

AWS 서비스: backup (서비스 연결 역할)

"elasticfilesystem:Backup",

"tag:GetResources"

AWSServiceRoleForComputeOptimizer

AWS 서비스: compute-optimizer (서비스 연결 역할)

"compute-optimizer:*"

"organizations:DescribeOrganization",

"cloudwatch:GetMetricData"

AWSServiceRoleForConfig

AWS 서비스: config (서비스 연결 역할)

"acm:DescribeCertificate",

"application-autoscaling:DescribeScalableTargets",

"autoscaling:DescribeLifecycleHooks",

"backup:ListBackupPlans",

"cloudfront:ListTagsForResource",

"cloudformation:describeType",

"cloudtrail:GetEventSelectors",

"cloudwatch:DescribeAlarms",

"codepipeline:GetPipeline",

"config:BatchGet*",

"dax:DescribeClusters",

"dms:DescribeReplicationInstances",

"dynamodb:DescribeContinuousBackups",

"ec2:Describe*",

"eks:DescribeCluster",

"elasticache:DescribeCacheClusters",

"elasticfilesystem:DescribeFileSystems",

"elasticloadbalancing:DescribeListeners",

"elasticmapreduce:DescribeCluster",

"es:DescribeElasticsearchDomain",

"guardduty:GetDetector",

"iam:GenerateCredentialReport",

"kms:DescribeKey",

"lambda:GetAlias",

"logs:DescribeLogGroups",

"organizations:DescribeOrganization",

"rds:DescribeDBClusters",

"redshift:DescribeClusterParameterGroups",

"s3:GetAccelerateConfiguration",

"sagemaker:DescribeEndpointConfig",

"secretsmanager:ListSecrets",

"shield:DescribeDRTAccess",

"sns:GetTopicAttributes",

"sqs:GetQueueAttributes",

"ssm:DescribeDocument",

"storagegateway:ListGateways",

"support:DescribeCases",

"waf:GetLoggingConfiguration",

"config:PutConfigRule",

"iam:GetRole"

"Action": "iam:PassRole",

"cloudformation:CreateStack",

AWSServiceRoleForEC2Spot

AWS 서비스: spot (서비스 연결 역할)

"ec2:DescribeInstances",

"iam:PassRole"

AWSServiceRoleForECS

AWS 서비스: ecs (서비스 연결 역할)

"ec2:AttachNetworkInterface",

"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",

"route53:ChangeResourceRecordSets",

"servicediscovery:DeregisterInstance",

"autoscaling:Describe*"

"cloudwatch:DeleteAlarms",

"logs:CreateLogGroup",

AWSServiceRoleForElastiCache

AWS 서비스: elasticache (서비스 연결 역할)

"ec2:CreateNetworkInterface",

"cloudwatch:PutMetricData",

"outposts:GetOutpost",

AWSServiceRoleForElasticLoadBalancing

AWS 서비스: elasticloadbalancing (서비스 연결 역할)

"ec2:DescribeAddresses",

"logs:CreateLogDelivery",

AWSServiceRoleForGlobalAccelerator

AWS 서비스: globalaccelerator (서비스 연결 역할)

"ec2:CreateNetworkInterface",

AWSServiceRoleForImageBuilder

AWS 서비스: imagebuilder (서비스 연결 역할)

"ec2:RunInstances"

"ssm:ListCommands",

"kms:Encrypt",

"Action": "sts:AssumeRole",

AWSServiceRoleForMigrationHub

AWS 서비스: migrationhub (서비스 연결 역할)

"discovery:ListConfigurations",

"ec2:DescribeInstanceAttribute"

AWSServiceRoleForNetworkManager

AWS 서비스: networkmanager (서비스 연결 역할)

"directconnect:DescribeConnections",

"ec2:DescribeCustomerGateways",

AWSServiceRoleForOrganizations

AWS 서비스: organizations (서비스 연결 역할)

"iam:DeleteRole"

"iam:CreateServiceLinkedRole"

AWSServiceRoleForRDS

AWS 서비스: rds (서비스 연결 역할)

"ec2:AuthorizeSecurityGroupIngress",

"sns:Publish"

"logs:CreateLogGroup"

"kinesis:CreateStream",

"cloudwatch:PutMetricData"

AWSServiceRoleForSecurityHub

AWS 서비스: securityhub (서비스 연결 역할)

"cloudtrail:DescribeTrails",

"logs:DescribeMetricFilters",

"sns:ListSubscriptionsByTopic",

"config:DescribeConfigurationRecorders",

"iam:GenerateCredentialReport",

AWSServiceRoleForSupport

AWS 서비스: support (서비스 연결 역할)

"apigateway:GET"

"iam:DeleteRole"

"a4b:getDevice",

"access-analyzer:getFinding",

"acm-pca:getCertificate",

"amplify:getApp",

"application-autoscaling:describeScalableTargets",

"workspaces:describeWorkspacesConnectionStatus"

AWSServiceRoleForTrustedAdvisor

AWS 서비스: trustedadvisor (서비스 연결 역할)

"autoscaling:DescribeAccountLimits",

"cloudformation:DescribeAccountLimits",

"dynamodb:DescribeLimits",

"ec2:DescribeAddresses",

"iam:GenerateCredentialReport",

"kinesis:DescribeLimits",

"rds:DescribeAccountAttributes",

"redshift:DescribeClusters",

"route53:GetHealthCheck",

"s3:GetBucketAcl",

"ses:GetSendQuota",

"sqs:ListQueues",

"cloudwatch:GetMetricStatistics",

"ce:GetReservationPurchaseRecommendation",

AWSServiceRoleForVPCTransitGateway

AWS 서비스: transitgateway (서비스 연결 역할)

"ec2:CreateNetworkInterface",

ecsInstanceRole

AWS 서비스: ec2

"ec2:DescribeTags",

"ecs:CreateCluster",

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",

ecsTaskExecutionRole

AWS 서비스: ecs-tasks

"ecr:GetAuthorizationToken",

"logs:CreateLogStream",

eks-manage.role

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"logs:CreateLogStream",

eksClusterRole

AWS 서비스: eks

"autoscaling:DescribeAutoScalingGroups",

"ec2:AuthorizeSecurityGroupIngress",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

"Action": "iam:CreateServiceLinkedRole",

eksServiceRole

AWS 서비스: eks

AmazonEKSClusterPolicy

AmazonEKSWorkerNodePolicy

AmazonEKSServicePolicy

AmazonEKS_CNI_Policy

AmazonEKSFargatePodExecutionRolePolicy

AmazonEKSClusterPolicy

"autoscaling:DescribeAutoScalingGroups",

"ec2:AttachVolume",

"elasticloadbalancing:AddTags",

"kms:DescribeKey"

AmazonEKSServicePolicy

"ec2:CreateNetworkInterface",

"iam:ListAttachedRolePolicies",

"eks:UpdateClusterVersion"

"Action": "route53:AssociateVPCWithHostedZone",

"logs:CreateLogStream",

"Action": "iam:CreateServiceLinkedRole",

AmazonEKS_CNI_Policy

"ec2:AssignPrivateIpAddresses",

AmazonEKSFargatePodExecutionRolePolicy

"ecr:GetAuthorizationToken",

Elastic_Transcoder_Default_Role

AWS 서비스: elastictranscoder

"s3:Put*",

"Action": "sns:Publish",

FirehosetoS3Role

AWS 서비스: firehose

"s3:AbortMultipartUpload",

flowlogsRole

AWS 서비스: vpc-flow-logs

"logs:CreateLogGroup",

VPC Flow-log가 cloudwatch log 에 저장된다.

cloudwatch log 를 미리 만들어야 한다.

감사합니다.

Master Seo 소속 클라우드전문가카페 직업 엔지니어

(전) 네이버 엔지니어 7년 , 네이버 클라우드 마스터, PRO , AWS 아키프로, Google프로아키, Azure어드민, CCNP, 맛집,여행 전문가, 좋은 기운을 주는사람

구독자 2,521

매거진의 이전글 450. Role 필요한 서비스 452. it.serverchk.com 웹사이트 이중화 매거진의 다음글

브런치는 최신 브라우저에 최적화 되어있습니다. IE chrome safari