Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS / MFA + CLI / CloudFormation / Example / Groups
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"BossRole" : {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "BossRole",
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"AWS": { "Ref": "AWS::AccountId" }
},
"Action": [ "sts:AssumeRole" ]
} ]
}
}
},
"MarketingRole" : {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "MarketingRole",
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"AWS": { "Ref": "AWS::AccountId" }
},
"Action": [ "sts:AssumeRole" ]
} ]
}
}
},
"SalesRole" : {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "SalesRole",
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"AWS": { "Ref": "AWS::AccountId" }
},
"Action": [ "sts:AssumeRole" ]
} ]
}
}
},
"BossStorageReadAllPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "BossStorageReadAllPolicy",
"Roles": [ { "Ref": "BossRole" } ],
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" },
"/*"
] ] }
} ]
}
}
},
"BossStoragePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "BossStoragePolicy",
"Roles": [ { "Ref": "BossRole" } ],
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" },
"/boss/*"
] ] }
} ]
}
}
},
"MarketingStoragePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "MarketingStoragePolicy",
"Roles": [ { "Ref": "MarketingRole" } ],
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }
] ] },
"Condition": {"StringLike": {"s3:prefix": ["marketing", "marketing/*"] } }
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" },
"/marketing/*"
] ] }
}
]
}
}
},
"MarketingStorageReadSalesPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "MarketingStorageReadSalesPolicy",
"Roles": [ { "Ref": "MarketingRole" } ],
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }
] ] },
"Condition": {"StringLike": {"s3:prefix": ["sales", "sales/*"] } }
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" },
"/sales/*"
] ] }
}
]
}
}
},
"SalesStoragePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "SalesStoragePolicy",
"Roles": [ { "Ref": "SalesRole" } ],
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }
] ] },
"Condition": {"StringLike": {"s3:prefix": ["sales", "sales/*"] } }
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:s3:::",
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" },
"/sales/*"
] ] }
}
]
}
}
},
"BossGroup" : {
"Type": "AWS::IAM::Group",
"DependsOn": "BossRole",
"Properties": {
"GroupName": "BossGroup",
"Policies": [ {
"PolicyName": "AssumeBossRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": { "Fn::GetAtt": [ "BossRole", "Arn" ] }
} ]
}
} ]
}
},
"MarketingGroup" : {
"Type": "AWS::IAM::Group",
"DependsOn": "MarketingRole",
"Properties": {
"GroupName": "MarketingGroup",
"Policies": [ {
"PolicyName": "AssumeMarketingRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": { "Fn::GetAtt": [ "MarketingRole", "Arn" ] }
} ]
}
} ]
}
},
"SalesGroup" : {
"Type": "AWS::IAM::Group",
"DependsOn": "SalesRole",
"Properties": {
"GroupName": "SalesGroup",
"Policies": [ {
"PolicyName": "AssumeSalesRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": { "Fn::GetAtt": [ "SalesRole", "Arn" ] }
} ]
}
} ]
}
},
"ManageOwnCredentialsPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Allow users to manage their own credentials",
"Groups": [
{ "Ref": "BossGroup" },
{ "Ref": "MarketingGroup" },
{ "Ref": "SalesGroup" }
],
"PolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action":[
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
"Effect": "Allow",
"Action":[
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": { "Fn::Join": [ "", [
"arn:aws:iam::",
{ "Ref": "AWS::AccountId" },
":user/${aws:username}"
] ] }
},
{
"Sid": "AllowIndividualUserToListTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource":[
{ "Fn::Join": [ "", [
"arn:aws:iam::",
{ "Ref": "AWS::AccountId" },
":mfa/*"
] ] },
{ "Fn::Join": [ "", [
"arn:aws:iam::",
{ "Ref": "AWS::AccountId" },
":user/${aws:username}"
] ] }
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:RequestSmsMfaRegistration",
"iam:FinalizeSmsMfaRegistration",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource":[
{ "Fn::Join": [ "", [
"arn:aws:iam::",
{ "Ref": "AWS::AccountId" },
":mfa/${aws:username}"
] ] },
{ "Fn::Join": [ "", [
"arn:aws:iam::",
{ "Ref": "AWS::AccountId" },
":user/${aws:username}"
] ] }
]
}
]
}
}
},
"RequireMFAPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Require MFA authentication",
"Groups": [
{ "Ref": "BossGroup" },
{ "Ref": "MarketingGroup" },
{ "Ref": "SalesGroup" }
],
"PolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false"} }
}
]
}
}
},
},
"Outputs": {
"BossRoleARN": {
"Value": { "Fn::GetAtt": [ "BossRole", "Arn" ] },
"Description": "The Boss' Role ARN",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-BossRoleARN" }
}
},
"MarketingRoleARN": {
"Value": { "Fn::GetAtt": [ "MarketingRole", "Arn" ] },
"Description": "The Marketing Role ARN",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-MarketingRoleARN" }
}
},
"SalesRoleARN": {
"Value": { "Fn::GetAtt": [ "SalesRole", "Arn" ] },
"Description": "The Sales Role ARN",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-SalesRoleARN" }
}
},
"BossGroup": {
"Value": { "Ref": "BossGroup" },
"Description": "The Boss' Group",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-BossGroup" }
}
},
"MarketingGroup": {
"Value": { "Ref": "MarketingGroup" },
"Description": "The Marketing Group",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-MarketingGroup" }
}
},
"SalesGroup": {
"Value": { "Ref": "SalesGroup" },
"Description": "The Sales Group",
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-SalesGroup" }
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment