AWS IAM : Too complicated for your own good

AWS IAM Framework is very flexible and extensible. But it defeats the purpose when you cannot figure out what permissions are required for an operations role like deployment using Beanstalk.

AWS introduced managed policies to ease the pain. “AWSElasticBeanstalkFullAccess” seems like you are giving beanstalk access to an ops guy but behind the scene you give all access and make him/her a power user.

{
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "cloudformation:*",
                "rds:*",
                "sqs:*",
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}