IAM

Bastion

AWS 서비스 → EC2

Name : wsi-bastion-role

Admin 권한 추가

ECS

CloudWatchFullAccess, SecretManagerReadWrite 권한 추가

S3 - us-east-1

AWS 서비스 → S3

Name : us-wsi-bucket

권한 지정 - JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetReplicationConfiguration", "s3:ListBucket"],
      "Resource": "arn:aws:s3:::<SourceBucket>/*" # us
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::<SourceBucket>/*" # us
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ReplicateTags",
        "s3:ObjectOwnerOverrideToBucketOwner"
      ],
      "Resource": "arn:aws:s3:::<DestinationBucket>/*" # ap
    },
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      "Resource": "<SourceKmsKeyArn>" # us
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation"],
      "Resource": "<DestinationKmsKeyArn>" # ap
    }
  ]
}
JSON
복사

권한 생성

S3 - ap-northeast-2

AWS 서비스 → S3

Name : ap-wsi-bucket

권한 지정 - JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetReplicationConfiguration", "s3:ListBucket"],
      "Resource": "arn:aws:s3:::<SourceBucket>/*" # ap
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::<SourceBucket>/*" # ap
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ReplicateTags",
        "s3:ObjectOwnerOverrideToBucketOwner"
      ],
      "Resource": "arn:aws:s3:::<DestinationBucket>/*" # us
    },
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      "Resource": "<SourceKmsKeyArn>" # ap
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation"],
      "Resource": "<DestinationKmsKeyArn>" # us
    }
  ]
}
JSON
복사

권한 생성

CodeDeploy - ECS

AWS 서비스 → CodeDeploy - ECS

CodeDeployForECS 권한 추가

Name : wsi-deploy-ecs-role

ECR Push Access

ECR Push Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ecr:CompleteLayerUpload",
        "ecr:GetAuthorizationToken",
        "ecr:UploadLayerPart",
        "ecr:InitiateLayerUpload",
        "ecr:BatchCheckLayerAvailability",
        "ecr:PutImage"
      ],
      "Resource": "*"
    }
  ]
}
JSON
복사

Name : push-ecr

Lambda Access

IAM

AWS 서비스 → EC2

Name : wsi-bastion-role

Admin 권한 추가

CloudWatchFullAccess, SecretManagerReadWrite 권한 추가

AWS 서비스 → S3

Name : us-wsi-bucket

권한 지정 - JSON

권한 생성

AWS 서비스 → S3

Name : ap-wsi-bucket

권한 지정 - JSON

권한 생성

AWS 서비스 → CodeDeploy - ECS

CodeDeployForECS 권한 추가

Name : wsi-deploy-ecs-role

ECR Push Policy

Name : push-ecr

Lambda Policy

Name : lambda-policy