You can see below our IAM-Role Policy for our agent and platform to help you manage your produtcs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances",
                "ec2:StartInstances",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "iam:get*",
                "iam:list*",
                "ec2:Describe*",
                "rds:Describe*",
                "s3:*",
                "cloudwatch:GetMetricStatistics",
                "eks:*",
                "cloudwatch:ListMetrics",
                "elasticache:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

This policy Allows:

EC2 Provisioning, control and manage instances with TAG “1P”. Our agent doesn’t use Key pair.

RDS, Elasticache, EC2, IAM, Cloudwatch and S3 in list and get requests types

EKS Full Access (Optionally)