4.2. IAM 最低权限

required-roles:
  ec2:
    actions:
      - ec2:DeleteTags
      - ec2:DescribeAvailabilityZones
      - ec2:DescribeAccountAttributes
      - ec2:DeleteLaunchTemplate
      - ec2:DescribeLaunchTemplates
      - ec2:DescribeTags
      - ec2:CreateTags
      - ec2:DescribeLaunchTemplateVersions
      - ec2:RunInstances
      - ec2:CreateLaunchTemplateVersion
      - ec2:CreateLaunchTemplate
      - ec2:DescribeVpcs
      - ec2:DescribeInstanceTypes
      - ec2:DescribeSubnets
      - ec2:DescribeInstances
      - ec2:DescribeRegions
    resources:
      - "*"
  iam:
    actions:
      - iam:PassRole
      - iam:GetRole
      - iam:GetInstanceProfile
      - iam:GetRolePolicy
    resources:
      - "*"
  autoscaling:
    actions:
      - autoscaling:DescribeLaunchConfigurations
      - autoscaling:DescribeAutoScalingGroups
      - autoscaling:UpdateAutoScalingGroup
      - autoscaling:DescribeInstanceRefreshes
      - autoscaling:DeleteTags
      - autoscaling:DescribeTags
      - autoscaling:DescribeLifecycleHooks
      - autoscaling:StartInstanceRefresh
      - autoscaling:DisableMetricsCollection
      - autoscaling:CreateOrUpdateTags
      - autoscaling:DeleteAutoScalingGroup
      - autoscaling:CreateAutoScalingGroup
    resources:
      - "*"
  cloudformation:
    actions:
      - cloudformation:DescribeStackEvents
      - cloudformation:ListStackResources
      - cloudformation:ListStacks
      - cloudformation:DescribeStacks
      - cloudformation:GetTemplate
    resources:
      - "*"
  elasticloadbalancing:
    actions:
      - elasticloadbalancing:DescribeLoadBalancers
      - elasticloadbalancing:DescribeTargetGroups
    resources:
      - "*"
  s3:
    actions:
      - s3:GetBucketLocation
      - s3:DeleteObject
      - s3:PutObject
    resources:
      - "*"
  ssm:
    actions:
      - ssm:StartSession
      - ssm:SendCommand
      - ssm:TerminateSession
    resources:
      - "*"

required-roles:
  ec2:
    actions:
      - ec2:DeleteTags
      - ec2:DescribeAvailabilityZones
      - ec2:DescribeAccountAttributes
      - ec2:DeleteLaunchTemplate
      - ec2:DescribeLaunchTemplates
      - ec2:DescribeTags
      - ec2:CreateTags
      - ec2:DescribeLaunchTemplateVersions
      - ec2:RunInstances
      - ec2:CreateLaunchTemplateVersion
      - ec2:CreateLaunchTemplate
      - ec2:DescribeVpcs
      - ec2:DescribeInstanceTypes
      - ec2:DescribeSubnets
      - ec2:DescribeInstances
      - ec2:DescribeRegions
    resources:
      - "*"
  iam:
    actions:
      - iam:PassRole
      - iam:GetRole
      - iam:GetInstanceProfile
      - iam:GetRolePolicy
    resources:
      - "*"
  autoscaling:
    actions:
      - autoscaling:DescribeLaunchConfigurations
      - autoscaling:DescribeAutoScalingGroups
      - autoscaling:UpdateAutoScalingGroup
      - autoscaling:DescribeInstanceRefreshes
      - autoscaling:DeleteTags
      - autoscaling:DescribeTags
      - autoscaling:DescribeLifecycleHooks
      - autoscaling:StartInstanceRefresh
      - autoscaling:DisableMetricsCollection
      - autoscaling:CreateOrUpdateTags
      - autoscaling:DeleteAutoScalingGroup
      - autoscaling:CreateAutoScalingGroup
    resources:
      - "*"
  cloudformation:
    actions:
      - cloudformation:DescribeStackEvents
      - cloudformation:ListStackResources
      - cloudformation:ListStacks
      - cloudformation:DescribeStacks
      - cloudformation:GetTemplate
    resources:
      - "*"
  elasticloadbalancing:
    actions:
      - elasticloadbalancing:DescribeLoadBalancers
      - elasticloadbalancing:DescribeTargetGroups
    resources:
      - "*"
  s3:
    actions:
      - s3:GetBucketLocation
      - s3:DeleteObject
      - s3:PutObject
    resources:
      - "*"
  ssm:
    actions:
      - ssm:StartSession
      - ssm:SendCommand
      - ssm:TerminateSession
    resources:
      - "*"