HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HVD Home
HVD Home

Appendix

AWS IAM policy

Sample AWS IAM Policy for S3 Bucket.

{
  "Statement": [
    {
      "Action": [
        "s3:PutObject",
        "s3:ListBucketVersions",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-logging-us-east-2/*",
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-logging-us-east-2",
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-bootstrap-us-east-2/*",
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-bootstrap-us-east-2",
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-app-us-east-2/*",
        "arn:aws:s3:::hashicat-12a345-tfe-westeros-app-us-east-2"
      ],
      "Sid": "InteractWithS3"
    },
    {
      "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateRandom",
        "kms:GenerateDataKey*",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:Decrypt"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:kms:us-east-2:000000000000:key/42845c0a-d750-4a1e-b505-26a76ebf0035",
      "Sid": "ManagedKmsKey"
    },

    {
      "Action": "secretsmanager:GetSecretValue",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:secretsmanager:us-east-2:000000000000:secret:hashicat-12a345-tfe-license-l7ecol",
        "arn:aws:secretsmanager:us-east-2:000000000000:secret:hashicat-12a345-enc_password-test-h5Vl8l",
        "arn:aws:secretsmanager:us-east-2:000000000000:secret:hashicat-12a345-console_password-test-B9uhcm",
        "arn:aws:secretsmanager:us-east-2:000000000000:secret:hashicat-12a345-cert_pem_public-E3PNej",
        "arn:aws:secretsmanager:us-east-2:000000000000:secret:hashicat-12a345-cert_pem_private-h5Vl8l"
      ],
      "Sid": "RetrieveSecrets"
    },
    {
      "Action": [
        "logs:PutRetentionPolicy",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups",
        "logs:CreateLogStream",
        "logs:CreateLogGroup"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:logs:us-east-2:000000000000:log-group:hashicat-12a345-tfe-log-group:*",
        "arn:aws:logs:us-east-2:000000000000:log-group:hashicat-12a345-tfe-log-group"
      ],
      "Sid": "WriteToCloudWatchLogs"
    },
    {
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeTags",
        "cloudwatch:PutMetricData"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },

    {
      "Action": "autoscaling:CompleteLifecycleAction",
      "Condition": {
        "StringEquals": {
          "autoscaling:ResourceTag/asg-hook": "hashicat-12a345-us-east-2-tfe-asg-hook"
        }
      },
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "ASGHook"
    }
  ],
  "Version": "2012-10-17"
}
Previous

Next steps

 Next

Changelog