To use the EC2 Recovery Kit, the instance must have Roles that are allowed to update the RouteTable entries or reassign ENI (Elastic Network Interface).
- Route Table (backend) configuration
- ec2:DescribeRouteTables
- ec2:ReplaceRoute
- ec2:DescribeNetworkInterfaceAttribute
- ec2:ModifyNetworkInterfaceAttribute
- Elastic IP (frontend) configuration
- ec2:DescribeAddresses
- ec2:AssociateAddress
- ec2:DisassociateAddress
To achieve this, create a policy as seen below (note that it might be desirable to limit the resources that may be accessed), then assign it to a Role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DisassociateAddress", "ec2:DescribeAddresses", "ec2:DescribeNetworkInterfaceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AssociateAddress", "ec2:DescribeRouteTables", "ec2:ReplaceRoute" ], "Resource": "*" } ] }
Once a Role is defined, assign it to the EC2 instances.
このトピックへフィードバック