Skip to content

Instantly share code, notes, and snippets.

@ashb

ashb/policy.json

Last active August 29, 2015 14:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ashb/2dedd651f249582940f3 to your computer and use it in GitHub Desktop.
Save ashb/2dedd651f249582940f3 to your computer and use it in GitHub Desktop.
Download ZIP
Complex policy much?
Raw
policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEC2ProductionReadOnly",
"Resource": "*",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:List*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Env": "prod"
}
}
},
{
"Sid": "DisallowEC2Production",
"Resource": "*",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Env": "prod"
}
}
},
{
"Sid": "DisallowRDSProduction",
"Resource": "*",
"Effect": "Deny",
"Action": [
"rds:*"
],
"Condition": {
"StringEquals": {
"rds:db-tag/Env": "prod"
}
}
},
{
"Sid": "DisallowCfnProd",
"Action": [
"cloudformation:Delete*",
"cloudformation:Update*"
],
"Effect": "Deny",
"Resource": "arn:aws:cloudformation:*:*:stack/*prod*/*"
},
{
"Sid": "DisallowIAMAnythingProd",
"Action": [
"iam:*"
],
"Effect": "Deny",
"Resource": [
"arn:aws:iam::*:role/*prod*",
"arn:aws:iam::*:policy/*prod*",
"arn:aws:iam::*:instance-profile/*prod*",
"arn:aws:iam::*:server-certificate/*prod*"
]
},
{
"Sid": "DisallowKMSProdKeys",
"Action": [
"kms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext": "prod"
}
}
},
{
"Sid": "DisallowS3Production",
"Resource": "arn:aws:s3:::*prod*",
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Delete*"
]
},
{
"Sid": "LetUserChangeOwnPassword",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowUpdateRoute53IP",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*"
},
{
"Sid": "AllowUpdateRoute53IPViewCurrentState",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"
],
"Resource": "*"
},
{
"Sid": "Route53PermissionsToRunCfnCreate",
"Action": [
"route53:GetChange"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPermissionsToRunCfnCreate",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UploadServerCertificate"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPermissionsToRunCfnDelete",
"Action": [
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServerCertificate",
"iam:RemoveRoleFromInstanceProfile"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "RDSFullAccess",
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "EC2FullAccess",
"Action": [
"ec2:*",
"elasticloadbalancing:*",
"cloudwatch:*",
"autoscaling:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "S3",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CfnAccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudformation:*"
]
},
{
"Sid": "Stmt1438359455520",
"Action": [
"kms:CreateAlias",
"kms:CreateKey",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment