Created
November 24, 2016 23:36
-
-
Save SteveHoggNZ/6db141fb23c0f6943527e8977b78b7ef to your computer and use it in GitHub Desktop.
AWS / MFA + CLI / CloudFormation / Example / Groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Resources": { | |
"BossRole" : { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"RoleName": "BossRole", | |
"AssumeRolePolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": { "Ref": "AWS::AccountId" } | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
} ] | |
} | |
} | |
}, | |
"MarketingRole" : { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"RoleName": "MarketingRole", | |
"AssumeRolePolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": { "Ref": "AWS::AccountId" } | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
} ] | |
} | |
} | |
}, | |
"SalesRole" : { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"RoleName": "SalesRole", | |
"AssumeRolePolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": { "Ref": "AWS::AccountId" } | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
} ] | |
} | |
} | |
}, | |
"BossStorageReadAllPolicy": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "BossStorageReadAllPolicy", | |
"Roles": [ { "Ref": "BossRole" } ], | |
"PolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Action": [ | |
"s3:ListBucket", | |
"s3:GetObject" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }, | |
"/*" | |
] ] } | |
} ] | |
} | |
} | |
}, | |
"BossStoragePolicy": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "BossStoragePolicy", | |
"Roles": [ { "Ref": "BossRole" } ], | |
"PolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Action": [ | |
"s3:PutObject", | |
"s3:DeleteObject" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }, | |
"/boss/*" | |
] ] } | |
} ] | |
} | |
} | |
}, | |
"MarketingStoragePolicy": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "MarketingStoragePolicy", | |
"Roles": [ { "Ref": "MarketingRole" } ], | |
"PolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:ListBucket" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" } | |
] ] }, | |
"Condition": {"StringLike": {"s3:prefix": ["marketing", "marketing/*"] } } | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetObject", | |
"s3:PutObject", | |
"s3:DeleteObject" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }, | |
"/marketing/*" | |
] ] } | |
} | |
] | |
} | |
} | |
}, | |
"MarketingStorageReadSalesPolicy": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "MarketingStorageReadSalesPolicy", | |
"Roles": [ { "Ref": "MarketingRole" } ], | |
"PolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:ListBucket" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" } | |
] ] }, | |
"Condition": {"StringLike": {"s3:prefix": ["sales", "sales/*"] } } | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetObject" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }, | |
"/sales/*" | |
] ] } | |
} | |
] | |
} | |
} | |
}, | |
"SalesStoragePolicy": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "SalesStoragePolicy", | |
"Roles": [ { "Ref": "SalesRole" } ], | |
"PolicyDocument": { | |
"Version" : "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:ListBucket" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" } | |
] ] }, | |
"Condition": {"StringLike": {"s3:prefix": ["sales", "sales/*"] } } | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetObject", | |
"s3:PutObject", | |
"s3:DeleteObject" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:s3:::", | |
{ "Fn::ImportValue": "CompanySharedStorage-Bucket" }, | |
"/sales/*" | |
] ] } | |
} | |
] | |
} | |
} | |
}, | |
"BossGroup" : { | |
"Type": "AWS::IAM::Group", | |
"DependsOn": "BossRole", | |
"Properties": { | |
"GroupName": "BossGroup", | |
"Policies": [ { | |
"PolicyName": "AssumeBossRole", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Action": "sts:AssumeRole", | |
"Resource": { "Fn::GetAtt": [ "BossRole", "Arn" ] } | |
} ] | |
} | |
} ] | |
} | |
}, | |
"MarketingGroup" : { | |
"Type": "AWS::IAM::Group", | |
"DependsOn": "MarketingRole", | |
"Properties": { | |
"GroupName": "MarketingGroup", | |
"Policies": [ { | |
"PolicyName": "AssumeMarketingRole", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Action": "sts:AssumeRole", | |
"Resource": { "Fn::GetAtt": [ "MarketingRole", "Arn" ] } | |
} ] | |
} | |
} ] | |
} | |
}, | |
"SalesGroup" : { | |
"Type": "AWS::IAM::Group", | |
"DependsOn": "SalesRole", | |
"Properties": { | |
"GroupName": "SalesGroup", | |
"Policies": [ { | |
"PolicyName": "AssumeSalesRole", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ { | |
"Effect": "Allow", | |
"Action": "sts:AssumeRole", | |
"Resource": { "Fn::GetAtt": [ "SalesRole", "Arn" ] } | |
} ] | |
} | |
} ] | |
} | |
}, | |
"ManageOwnCredentialsPolicy": { | |
"Type": "AWS::IAM::ManagedPolicy", | |
"Properties": { | |
"Description": "Allow users to manage their own credentials", | |
"Groups": [ | |
{ "Ref": "BossGroup" }, | |
{ "Ref": "MarketingGroup" }, | |
{ "Ref": "SalesGroup" } | |
], | |
"PolicyDocument": { | |
"Version":"2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "AllowAllUsersToListAccounts", | |
"Effect": "Allow", | |
"Action":[ | |
"iam:ListAccountAliases", | |
"iam:ListUsers", | |
"iam:GetAccountSummary" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation", | |
"Effect": "Allow", | |
"Action":[ | |
"iam:ChangePassword", | |
"iam:CreateAccessKey", | |
"iam:CreateLoginProfile", | |
"iam:DeleteAccessKey", | |
"iam:DeleteLoginProfile", | |
"iam:GetAccountPasswordPolicy", | |
"iam:GetLoginProfile", | |
"iam:ListAccessKeys", | |
"iam:UpdateAccessKey", | |
"iam:UpdateLoginProfile", | |
"iam:ListSigningCertificates", | |
"iam:DeleteSigningCertificate", | |
"iam:UpdateSigningCertificate", | |
"iam:UploadSigningCertificate", | |
"iam:ListSSHPublicKeys", | |
"iam:GetSSHPublicKey", | |
"iam:DeleteSSHPublicKey", | |
"iam:UpdateSSHPublicKey", | |
"iam:UploadSSHPublicKey" | |
], | |
"Resource": { "Fn::Join": [ "", [ | |
"arn:aws:iam::", | |
{ "Ref": "AWS::AccountId" }, | |
":user/${aws:username}" | |
] ] } | |
}, | |
{ | |
"Sid": "AllowIndividualUserToListTheirOwnMFA", | |
"Effect": "Allow", | |
"Action":[ | |
"iam:ListVirtualMFADevices", | |
"iam:ListMFADevices" | |
], | |
"Resource":[ | |
{ "Fn::Join": [ "", [ | |
"arn:aws:iam::", | |
{ "Ref": "AWS::AccountId" }, | |
":mfa/*" | |
] ] }, | |
{ "Fn::Join": [ "", [ | |
"arn:aws:iam::", | |
{ "Ref": "AWS::AccountId" }, | |
":user/${aws:username}" | |
] ] } | |
] | |
}, | |
{ | |
"Sid": "AllowIndividualUserToManageTheirOwnMFA", | |
"Effect": "Allow", | |
"Action":[ | |
"iam:CreateVirtualMFADevice", | |
"iam:DeactivateMFADevice", | |
"iam:DeleteVirtualMFADevice", | |
"iam:RequestSmsMfaRegistration", | |
"iam:FinalizeSmsMfaRegistration", | |
"iam:EnableMFADevice", | |
"iam:ResyncMFADevice" | |
], | |
"Resource":[ | |
{ "Fn::Join": [ "", [ | |
"arn:aws:iam::", | |
{ "Ref": "AWS::AccountId" }, | |
":mfa/${aws:username}" | |
] ] }, | |
{ "Fn::Join": [ "", [ | |
"arn:aws:iam::", | |
{ "Ref": "AWS::AccountId" }, | |
":user/${aws:username}" | |
] ] } | |
] | |
} | |
] | |
} | |
} | |
}, | |
"RequireMFAPolicy": { | |
"Type": "AWS::IAM::ManagedPolicy", | |
"Properties": { | |
"Description": "Require MFA authentication", | |
"Groups": [ | |
{ "Ref": "BossGroup" }, | |
{ "Ref": "MarketingGroup" }, | |
{ "Ref": "SalesGroup" } | |
], | |
"PolicyDocument": { | |
"Version":"2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA", | |
"Effect": "Deny", | |
"NotAction": "iam:*", | |
"Resource": "*", | |
"Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false"} } | |
} | |
] | |
} | |
} | |
}, | |
}, | |
"Outputs": { | |
"BossRoleARN": { | |
"Value": { "Fn::GetAtt": [ "BossRole", "Arn" ] }, | |
"Description": "The Boss' Role ARN", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-BossRoleARN" } | |
} | |
}, | |
"MarketingRoleARN": { | |
"Value": { "Fn::GetAtt": [ "MarketingRole", "Arn" ] }, | |
"Description": "The Marketing Role ARN", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-MarketingRoleARN" } | |
} | |
}, | |
"SalesRoleARN": { | |
"Value": { "Fn::GetAtt": [ "SalesRole", "Arn" ] }, | |
"Description": "The Sales Role ARN", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-SalesRoleARN" } | |
} | |
}, | |
"BossGroup": { | |
"Value": { "Ref": "BossGroup" }, | |
"Description": "The Boss' Group", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-BossGroup" } | |
} | |
}, | |
"MarketingGroup": { | |
"Value": { "Ref": "MarketingGroup" }, | |
"Description": "The Marketing Group", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-MarketingGroup" } | |
} | |
}, | |
"SalesGroup": { | |
"Value": { "Ref": "SalesGroup" }, | |
"Description": "The Sales Group", | |
"Export": { | |
"Name": {"Fn::Sub": "${AWS::StackName}-SalesGroup" } | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment