You can grant access permissions to the AWS CLI using an IAM role or an IAM user.

IAM roles grant access and operation permissions to AWS resources. Since access keys for IAM users are not saved in each server, access controls are secured.

When you cannot use IAM roles, you can attach policies to IAM users to grant access permissions to AWS resources.

As a policy to attach to an IAM role or an IAM user, based on the architectural pattern selected in "20.2.1 Network Takeover", design a policy that grants access permissions to the following actions.

Network takeover by the virtual router

ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:SendDiagnosticInterrupt
ec2:StopInstances
ec2:DescribeRouteTables
ec2:CreateRoute
ec2:ReplaceRoute
ec2:DescribeNetworkInterfaces

Network takeover by replacing the Elastic IP address

ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:SendDiagnosticInterrupt
ec2:StopInstances
ec2:AssociateAddress
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces

Network takeover by rewriting DNS records

ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:SendDiagnosticInterrupt
ec2:StopInstances
route53:ChangeResourceRecordSets
route53:GetChange
route53:ListResourceRecordSets
route53:GetHostedZone