Helios deploy policy

README.md

Note: I think we'll want to use an administrator policy to create the service, then this policy to ensure no one can spin up a huge amount of EC2 servers or something and drive bills up. Shouldn't be an issue, but this enforces it.

I think this policy is more open than it needs to be, especially around IAM (possible escalation vuln?), but it's late here and I've confirmed that it works at a high level.

Also, the visual editor makes things horribly unreadable. I'd want to hand-edit this to be somewhat maintainable.

policy.awspolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "cloudformation:CreateUploadBucket",
                "cloudformation:ListStacks",
                "lambda:UpdateEventSourceMapping",
                "lambda:ListFunctions",
                "lambda:InvokeFunction",
                "lambda:GetEventSourceMapping",
                "lambda:UpdateFunctionConfiguration",
                "lambda:GetAccountSettings",
                "lambda:CreateEventSourceMapping",
                "s3:ListObjects",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:PreviewStackUpdate",
                "s3:ListAllMyBuckets",
                "lambda:ListEventSourceMappings",
                "cloudformation:DescribeAccountLimits",
                "lambda:DeleteEventSourceMapping",
                "cloudformation:DescribeChangeSet",
                "s3:HeadBucket",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:TagResource",
                "lambda:ListVersionsByFunction",
                "iam:CreateRole",
                "lambda:Invoke",
                "lambda:InvokeAsync",
                "lambda:GetFunctionConfiguration",
                "iam:PutRolePolicy",
                "lambda:UntagResource",
                "lambda:EnableReplication",
                "iam:PassRole",
                "lambda:ListTags",
                "iam:DeleteRolePolicy",
                "lambda:DeleteFunction",
                "lambda:GetAlias",
                "iam:GetRole",
                "s3:*",
                "apigateway:*",
                "lambda:GetFunction",
                "lambda:ListAliases",
                "iam:DeleteRole",
                "lambda:UpdateAlias",
                "lambda:UpdateFunctionCode",
                "lambda:AddPermission",
                "lambda:DeleteAlias",
                "lambda:PublishVersion",
                "lambda:RemovePermission",
                "lambda:GetPolicy",
                "lambda:CreateAlias"
            ],
            "Resource": [
                "arn:aws:lambda:us-west-1:422175853994:function:smoke-detector-aws-dev*",
                "arn:aws:iam::422175853994:role/smoke-detector-aws-dev*",
                "arn:aws:s3:::smoke-detector-aws-dev*",
                "arn:aws:apigateway:*::/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "arn:aws:cloudformation:us-west-1:422175853994:stack/smoke-detector-aws-dev/*"
        }
    ]
}