From 22e145c2411e29bb00ab06145d73c5e3184148cb Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Thu, 20 Apr 2017 18:15:31 -0400
Subject: [PATCH] Update documentation to include minimum required IAM policy
 (#461)

* Updating documentation to include minimum required IAM polcy. Closes

* Slightly more concise
---
 algo                        |  3 +-
 docs/deploy-with-ansible.md | 64 +++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/algo b/algo
index a89c704..0ca82bd 100755
--- a/algo
+++ b/algo
@@ -232,14 +232,13 @@ EXTRA_VARS="do_access_token=$do_access_token do_server_name=$do_server_name do_r
 ec2 () {
   read -p "
 Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
-Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
+Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-with-ansible.md).
 $ADDITIONAL_PROMPT
 [AKIA...]: " -rs aws_access_key
 
   read -p "
 
 Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
-Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
 $ADDITIONAL_PROMPT
 [ABCD...]: " -rs aws_secret_key
 
diff --git a/docs/deploy-with-ansible.md b/docs/deploy-with-ansible.md
index e1a86ff..54154bb 100644
--- a/docs/deploy-with-ansible.md
+++ b/docs/deploy-with-ansible.md
@@ -103,6 +103,70 @@ Additional tags:
 
 - [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) (enabled by default)
 
+#### Minimum required IAM permissions for deployment:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "PreDeployment",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeImages",
+                "ec2:DescribeKeyPairs",
+                "ec2:ImportKeyPair"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "DeployCloudFormationStack",
+            "Effect": "Allow",
+            "Action": [
+                "cloudformation:CreateStack",
+                "cloudformation:DescribeStacks",
+                "cloudformation:CreateStacks",
+                "cloudformation:DescribeStackEvents",
+                "cloudformation:ListStackResources"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "CloudFormationEC2Access",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateInternetGateway",
+                "ec2:DescribeVpcs",
+                "ec2:CreateVpc",
+                "ec2:DescribeInternetGateways",
+                "ec2:ModifyVpcAttribute",
+                "ec2:createTags",
+                "ec2:CreateSubnet",
+                "ec2:Associate*",
+                "ec2:CreateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:DescribeRouteTables",
+                "ec2:DescribeSubnets",
+                "ec2:ModifySubnetAttribute",
+                "ec2:CreateRoute",
+                "ec2:CreateSecurityGroup",
+                "ec2:DescribeSecurityGroups",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RunInstances",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
 ### Google Compute Engine
 
 Required variables: