Skip to content

Instantly share code, notes, and snippets.

@Undo1 Undo1/README.md Secret
Last active Nov 29, 2017

Embed
What would you like to do?
Helios deploy policy

Note: I think we'll want to use an administrator policy to create the service, then this policy to ensure no one can spin up a huge amount of EC2 servers or something and drive bills up. Shouldn't be an issue, but this enforces it.

I think this policy is more open than it needs to be, especially around IAM (possible escalation vuln?), but it's late here and I've confirmed that it works at a high level.

Also, the visual editor makes things horribly unreadable. I'd want to hand-edit this to be somewhat maintainable.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"cloudformation:CreateUploadBucket",
"cloudformation:ListStacks",
"lambda:UpdateEventSourceMapping",
"lambda:ListFunctions",
"lambda:InvokeFunction",
"lambda:GetEventSourceMapping",
"lambda:UpdateFunctionConfiguration",
"lambda:GetAccountSettings",
"lambda:CreateEventSourceMapping",
"s3:ListObjects",
"cloudformation:EstimateTemplateCost",
"cloudformation:PreviewStackUpdate",
"s3:ListAllMyBuckets",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"lambda:DeleteEventSourceMapping",
"cloudformation:DescribeChangeSet",
"s3:HeadBucket",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:TagResource",
"lambda:ListVersionsByFunction",
"iam:CreateRole",
"lambda:Invoke",
"lambda:InvokeAsync",
"lambda:GetFunctionConfiguration",
"iam:PutRolePolicy",
"lambda:UntagResource",
"lambda:EnableReplication",
"iam:PassRole",
"lambda:ListTags",
"iam:DeleteRolePolicy",
"lambda:DeleteFunction",
"lambda:GetAlias",
"iam:GetRole",
"s3:*",
"apigateway:*",
"lambda:GetFunction",
"lambda:ListAliases",
"iam:DeleteRole",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:AddPermission",
"lambda:DeleteAlias",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:GetPolicy",
"lambda:CreateAlias"
],
"Resource": [
"arn:aws:lambda:us-west-1:422175853994:function:smoke-detector-aws-dev*",
"arn:aws:iam::422175853994:role/smoke-detector-aws-dev*",
"arn:aws:s3:::smoke-detector-aws-dev*",
"arn:aws:apigateway:*::/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "arn:aws:cloudformation:us-west-1:422175853994:stack/smoke-detector-aws-dev/*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.