Last active
August 29, 2015 14:26
-
-
Save ashb/2dedd651f249582940f3 to your computer and use it in GitHub Desktop.
Complex policy much?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "AllowEC2ProductionReadOnly", | |
"Resource": "*", | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:Describe*", | |
"ec2:List*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/Env": "prod" | |
} | |
} | |
}, | |
{ | |
"Sid": "DisallowEC2Production", | |
"Resource": "*", | |
"Effect": "Deny", | |
"Action": [ | |
"ec2:*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"ec2:ResourceTag/Env": "prod" | |
} | |
} | |
}, | |
{ | |
"Sid": "DisallowRDSProduction", | |
"Resource": "*", | |
"Effect": "Deny", | |
"Action": [ | |
"rds:*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"rds:db-tag/Env": "prod" | |
} | |
} | |
}, | |
{ | |
"Sid": "DisallowCfnProd", | |
"Action": [ | |
"cloudformation:Delete*", | |
"cloudformation:Update*" | |
], | |
"Effect": "Deny", | |
"Resource": "arn:aws:cloudformation:*:*:stack/*prod*/*" | |
}, | |
{ | |
"Sid": "DisallowIAMAnythingProd", | |
"Action": [ | |
"iam:*" | |
], | |
"Effect": "Deny", | |
"Resource": [ | |
"arn:aws:iam::*:role/*prod*", | |
"arn:aws:iam::*:policy/*prod*", | |
"arn:aws:iam::*:instance-profile/*prod*", | |
"arn:aws:iam::*:server-certificate/*prod*" | |
] | |
}, | |
{ | |
"Sid": "DisallowKMSProdKeys", | |
"Action": [ | |
"kms:*" | |
], | |
"Effect": "Deny", | |
"Resource": "*", | |
"Condition": { | |
"StringLike": { | |
"kms:EncryptionContext": "prod" | |
} | |
} | |
}, | |
{ | |
"Sid": "DisallowS3Production", | |
"Resource": "arn:aws:s3:::*prod*", | |
"Effect": "Deny", | |
"Action": [ | |
"s3:Put*", | |
"s3:Delete*" | |
] | |
}, | |
{ | |
"Sid": "LetUserChangeOwnPassword", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:ChangePassword", | |
"iam:GetAccountPasswordPolicy" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "AllowUpdateRoute53IP", | |
"Effect": "Allow", | |
"Action": [ | |
"route53:ChangeResourceRecordSets" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "AllowUpdateRoute53IPViewCurrentState", | |
"Effect": "Allow", | |
"Action": [ | |
"route53:ListHostedZones", | |
"route53:ListResourceRecordSets", | |
"route53:GetHostedZone" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "Route53PermissionsToRunCfnCreate", | |
"Action": [ | |
"route53:GetChange" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "IAMPermissionsToRunCfnCreate", | |
"Action": [ | |
"iam:AddRoleToInstanceProfile", | |
"iam:CreateInstanceProfile", | |
"iam:CreatePolicy", | |
"iam:CreateRole", | |
"iam:GetRole", | |
"iam:PassRole", | |
"iam:PutRolePolicy", | |
"iam:UploadServerCertificate" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "IAMPermissionsToRunCfnDelete", | |
"Action": [ | |
"iam:DeleteInstanceProfile", | |
"iam:DeletePolicy", | |
"iam:DeleteRole", | |
"iam:DeleteRolePolicy", | |
"iam:DeleteServerCertificate", | |
"iam:RemoveRoleFromInstanceProfile" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "RDSFullAccess", | |
"Action": [ | |
"rds:*", | |
"cloudwatch:DescribeAlarms", | |
"cloudwatch:GetMetricStatistics", | |
"ec2:DescribeAccountAttributes", | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeVpcs", | |
"sns:ListSubscriptions", | |
"sns:ListTopics" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "EC2FullAccess", | |
"Action": [ | |
"ec2:*", | |
"elasticloadbalancing:*", | |
"cloudwatch:*", | |
"autoscaling:*" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "S3", | |
"Action": [ | |
"s3:CreateBucket", | |
"s3:DeleteBucket", | |
"s3:DeleteObject", | |
"s3:Get*", | |
"s3:List*", | |
"s3:Put*" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "CfnAccess", | |
"Effect": "Allow", | |
"Resource": "*", | |
"Action": [ | |
"cloudformation:*" | |
] | |
}, | |
{ | |
"Sid": "Stmt1438359455520", | |
"Action": [ | |
"kms:CreateAlias", | |
"kms:CreateKey", | |
"kms:Decrypt", | |
"kms:GenerateDataKey", | |
"kms:List*" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment