{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "tag:GetResources", "elasticloadbalancing:AddTags" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "eks:*" ], "Resource": [ "cluster arn value", "cluster arn value/update-config" ], "Effect": "Allow" }, { "Action": [ "cloudformation:*", "lambda:InvokeFunction", "kms:DescribeKey", "dlm:*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": "kms:decrypt", "Resource": "*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket name/*", "Effect": "Allow" }, { "Action": [ "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Effect": "Allow" } ] } Inline Policy for Passrole { "Version": "2012-10-17", "Statement": [ { "Action": "iam:PassRole", "Resource": "arn value of Control Plane Role", "Effect": "Allow" } ] }