Undo1/README.md Secret

## README.md

      
        

          Raw
        
        
          
            
          
          
            
              README.md
            
          
        
      
    
  
    Note: I think we'll want to use an administrator policy to create the service, then this policy to ensure no one can spin up a huge amount of EC2 servers or something and drive bills up. Shouldn't be an issue, but this enforces it.
I think this policy is more open than it needs to be, especially around IAM (possible escalation vuln?), but it's late here and I've confirmed that it works at a high level.
Also, the visual editor makes things horribly unreadable. I'd want to hand-edit this to be somewhat maintainable.

  

  

## policy.awspolicy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "cloudformation:CreateUploadBucket",
                "cloudformation:ListStacks",
                "lambda:UpdateEventSourceMapping",
                "lambda:ListFunctions",
                "lambda:InvokeFunction",
                "lambda:GetEventSourceMapping",
                "lambda:UpdateFunctionConfiguration",
                "lambda:GetAccountSettings",
                "lambda:CreateEventSourceMapping",
                "s3:ListObjects",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:PreviewStackUpdate",
                "s3:ListAllMyBuckets",
                "lambda:ListEventSourceMappings",
                "cloudformation:DescribeAccountLimits",
                "lambda:DeleteEventSourceMapping",
                "cloudformation:DescribeChangeSet",
                "s3:HeadBucket",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:TagResource",
                "lambda:ListVersionsByFunction",
                "iam:CreateRole",
                "lambda:Invoke",
                "lambda:InvokeAsync",
                "lambda:GetFunctionConfiguration",
                "iam:PutRolePolicy",
                "lambda:UntagResource",
                "lambda:EnableReplication",
                "iam:PassRole",
                "lambda:ListTags",
                "iam:DeleteRolePolicy",
                "lambda:DeleteFunction",
                "lambda:GetAlias",
                "iam:GetRole",
                "s3:*",
                "apigateway:*",
                "lambda:GetFunction",
                "lambda:ListAliases",
                "iam:DeleteRole",
                "lambda:UpdateAlias",
                "lambda:UpdateFunctionCode",
                "lambda:AddPermission",
                "lambda:DeleteAlias",
                "lambda:PublishVersion",
                "lambda:RemovePermission",
                "lambda:GetPolicy",
                "lambda:CreateAlias"
            ],
            "Resource": [
                "arn:aws:lambda:us-west-1:422175853994:function:smoke-detector-aws-dev*",
                "arn:aws:iam::422175853994:role/smoke-detector-aws-dev*",
                "arn:aws:s3:::smoke-detector-aws-dev*",
                "arn:aws:apigateway:*::/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "arn:aws:cloudformation:us-west-1:422175853994:stack/smoke-detector-aws-dev/*"
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"lambda:CreateFunction",
	"cloudformation:CreateUploadBucket",
	"cloudformation:ListStacks",
	"lambda:UpdateEventSourceMapping",
	"lambda:ListFunctions",
	"lambda:InvokeFunction",
	"lambda:GetEventSourceMapping",
	"lambda:UpdateFunctionConfiguration",
	"lambda:GetAccountSettings",
	"lambda:CreateEventSourceMapping",
	"s3:ListObjects",
	"cloudformation:EstimateTemplateCost",
	"cloudformation:PreviewStackUpdate",
	"s3:ListAllMyBuckets",
	"lambda:ListEventSourceMappings",
	"cloudformation:DescribeAccountLimits",
	"lambda:DeleteEventSourceMapping",
	"cloudformation:DescribeChangeSet",
	"s3:HeadBucket",
	"cloudformation:ValidateTemplate"
	],
	"Resource": "*"
	},
	{
	"Sid": "VisualEditor1",
	"Effect": "Allow",
	"Action": [
	"lambda:TagResource",
	"lambda:ListVersionsByFunction",
	"iam:CreateRole",
	"lambda:Invoke",
	"lambda:InvokeAsync",
	"lambda:GetFunctionConfiguration",
	"iam:PutRolePolicy",
	"lambda:UntagResource",
	"lambda:EnableReplication",
	"iam:PassRole",
	"lambda:ListTags",
	"iam:DeleteRolePolicy",
	"lambda:DeleteFunction",
	"lambda:GetAlias",
	"iam:GetRole",
	"s3:*",
	"apigateway:*",
	"lambda:GetFunction",
	"lambda:ListAliases",
	"iam:DeleteRole",
	"lambda:UpdateAlias",
	"lambda:UpdateFunctionCode",
	"lambda:AddPermission",
	"lambda:DeleteAlias",
	"lambda:PublishVersion",
	"lambda:RemovePermission",
	"lambda:GetPolicy",
	"lambda:CreateAlias"
	],
	"Resource": [
	"arn:aws:lambda:us-west-1:422175853994:function:smoke-detector-aws-dev*",
	"arn:aws:iam::422175853994:role/smoke-detector-aws-dev*",
	"arn:aws:s3:::smoke-detector-aws-dev*",
	"arn:aws:apigateway:::/"
	]
	},
	{
	"Sid": "VisualEditor2",
	"Effect": "Allow",
	"Action": "cloudformation:*",
	"Resource": "arn:aws:cloudformation:us-west-1:422175853994:stack/smoke-detector-aws-dev/*"
	}
	]
	}