Skip to content

Instantly share code, notes, and snippets.

@bzcorn

bzcorn/serviceAccount-pb.json

Last active February 20, 2019 00:13
Show Gist options
  • Save bzcorn/bddcadde0e2c015e8e6a401cf6da2dc5 to your computer and use it in GitHub Desktop.
Save bzcorn/bddcadde0e2c015e8e6a401cf6da2dc5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
serviceAccount-pb.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllPermissionsExceptIAMUserOrRole",
"Effect": "Allow",
"NotAction": [
"iam:CreateUser",
"iam:AttachUserPolicy",
"iam:PutUserPolicy",
"iam:PutUserPermissionsBoundary",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteUserPermissionsBoundary",
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "RequirePermissionsBoundaryForServiceAccounts",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:AttachUserPolicy",
"iam:PutUserPolicy",
"iam:PutUserPermissionsBoundary"
],
"Resource": "arn:aws:iam::123456789012:user/svc*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/serviceAccount-pb"
}
}
},
{
"Sid": "RequirePermissionsBoundaryForUserAccounts",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:AttachUserPolicy",
"iam:PutUserPolicy",
"iam:PutUserPermissionsBoundary"
],
"NotResource": "arn:aws:iam::123456789012:user/svc*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/multiFactor-pb"
}
}
},
{
"Sid": "RequirePermissionsBoundaryForRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary"
],
"Resource": "arn:aws:iam::123456789012:role/*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/role-pb"
}
}
},
{
"Sid": "NoBoundaryPolicyEdit1",
"Effect": "Deny",
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::123456789012:policy/*-pb"
},
{
"Sid": "NoBoundaryPolicyEdit2",
"Effect": "Allow",
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"NotResource": "arn:aws:iam::123456789012:policy/*-pb"
},
{
"Sid": "NoBoundaryPermissionDelete",
"Effect": "Deny",
"Action": [
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteUserPermissionsBoundary"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "ThoughtWorks"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"owner"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment