Summary: Determine exactly what the current hardcoded "Cirrus" key is allowed to do so we can replicate it securely in the new OIDC role. Description: We are replacing a hardcoded AMI/IAM key currently used in Cirrus CI. Before creating the new role, we need to map out the exact permissions required (Least Privilege).

• Tasks:

1. 1. Identify the AWS Access Key ID currently configured in Cirrus CI (or the repository secrets).

1. 1. Find the corresponding IAM User in the AWS Console.

1. 1. Analyze the attached Policies (both Inline and Managed) to list required permissions (e.g., ec2:RunInstances, s3:PutObject, packer:build permissions).

1. 1. Draft a JSON IAM Policy that includes only these required permissions.

Acceptance Criteria:

• [ ] A list of required AWS actions/resources is documented.

• [ ] A draft JSON IAM policy is ready for the next story.