From 5b8a9d963270274c67bd143d0c4fdca0e0dac8a4 Mon Sep 17 00:00:00 2001
From: Thomas Hopkins <hopkinsth@gmail.com>
Date: Wed, 7 Mar 2018 17:59:46 -0500
Subject: [PATCH] add policy document for AWS with only necessary permissions

Signed-off-by: Thomas Hopkins <hopkinsth@gmail.com>
---
 docs/aws-config.md | 52 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 46 insertions(+), 6 deletions(-)

diff --git a/docs/aws-config.md b/docs/aws-config.md
index 789e4cb68..9a12ba75c 100644
--- a/docs/aws-config.md
+++ b/docs/aws-config.md
@@ -40,12 +40,52 @@ For more information, see [the AWS documentation on IAM users][14].
 2. Attach policies to give `heptio-ark` the necessary permissions:
 
     ```bash
-    aws iam attach-user-policy \
-        --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \
-        --user-name heptio-ark
-    aws iam attach-user-policy \
-        --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess \
-        --user-name heptio-ark
+    BUCKET=<YOUR_BUCKET>
+    cat > heptio-ark-policy.json <<EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeVolumes",
+                    "ec2:CreateTags",
+                    "ec2:CreateVolume",
+                    "ec2:CreateSnapshot",
+                    "ec2:DeleteSnapshot"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:GetObject",
+                    "s3:DeleteObject",
+                    "s3:PutObject"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::${BUCKET}/*"
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:AbortMultipartUpload",
+                    "s3:ListMultipartUploadParts"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::${BUCKET}"
+                ]
+            }
+        ]
+    }
+    EOF
+    
+    aws iam put-user-policy \
+      --user-name heptio-ark \
+      --policy-name heptio-ark \
+      --policy-document file://heptio-ark-policy.json
     ```
 
 3. Create an access key for the user: