To use the EC2 Recovery Kit, the instance must have Roles that are allowed to update the RouteTable entries or reassign ENI (Elastic Network Interface).

  • Route Table (backend) configuration
    • ec2:DescribeRouteTables
    • ec2:ReplaceRoute
    • ec2:DescribeNetworkInterfaceAttribute
    • ec2:ModifyNetworkInterfaceAttribute
  • Elastic IP (frontend) configuration
    • ec2:DescribeAddresses
    • ec2:AssociateAddress
    • ec2:DisassociateAddress

To achieve this, create a policy as seen below (note that it might be desirable to limit the resources that may be accessed), then assign it to a Role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DisassociateAddress",
                "ec2:DescribeAddresses",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssociateAddress",
                "ec2:DescribeRouteTables",
                "ec2:ReplaceRoute"
            ],
            "Resource": "*"
        }
    ]
}

Once a Role is defined, assign it to the EC2 instances.

フィードバック

お役に立ちましたか?

はい いいえ
お役に立ちましたか
理由をお聞かせください
フィードバックありがとうございました

このトピックへフィードバック

送信