exequielrafaela/LimitRegionSizeCondition.json

## LimitRegionSizeCondition.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MultiServiceFullAccessCustom",
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "rds:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-2"
                    ]
                }
            }
        },
        {
            "Sid": "Ec2RunInstanceCustomSize",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:InstanceType": [
                        "*.nano",
                        "*.micro",
                        "*.small",
                        "*.medium",
                        "*.large"
                    ]
                }
            }
        },
        {
            "Sid": "RdsFullAccessCustomSize",
            "Effect": "Deny",
            "Action": [
                "rds:CreateDBInstance",
                "rds:CreateDBCluster"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*"
            ],
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "rds:DatabaseClass": [
                        "*.micro",
                        "*.small",
                        "*.medium",
                        "*.large"
                    ]
                }
            }
        }
    ]
}

## S3PublicReadCrossAcctGetPutList.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::login.stage.project-name.com/*"
        },
        {
            "Sid": "Example permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::login.stage.project-name.com"
        },
        {
            "Sid": "S3 cross-account permissions Read-Write",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::login.stage.project-name.com/*"
        },
        {
            "Sid": "AddCannedAcl",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::login.stage.project-name.com/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "MultiServiceFullAccessCustom",
	"Effect": "Allow",
	"Action": [
	"ec2:*",
	"rds:*"
	],
	"Resource": [
	"*"
	],
	"Condition": {
	"StringEquals": {
	"aws:RequestedRegion": [
	"us-east-1",
	"us-east-2",
	"us-west-2"
	]
	}
	}
	},
	{
	"Sid": "Ec2RunInstanceCustomSize",
	"Effect": "Deny",
	"Action": "ec2:RunInstances",
	"Resource": [
	"arn:aws:ec2:::instance/*"
	],
	"Condition": {
	"ForAnyValue:StringNotLike": {
	"ec2:InstanceType": [
	"*.nano",
	"*.micro",
	"*.small",
	"*.medium",
	"*.large"
	]
	}
	}
	},
	{
	"Sid": "RdsFullAccessCustomSize",
	"Effect": "Deny",
	"Action": [
	"rds:CreateDBInstance",
	"rds:CreateDBCluster"
	],
	"Resource": [
	"arn:aws:rds:::db:*"
	],
	"Condition": {
	"ForAnyValue:StringNotLike": {
	"rds:DatabaseClass": [
	"*.micro",
	"*.small",
	"*.medium",
	"*.large"
	]
	}
	}
	}
	]
	}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "PublicReadGetObject",
	"Effect": "Allow",
	"Principal": {
	"AWS": "*"
	},
	"Action": "s3:GetObject",
	"Resource": "arn:aws:s3:::login.stage.project-name.com/*"
	},
	{
	"Sid": "Example permissions",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
	},
	"Action": [
	"s3:GetBucketLocation",
	"s3:ListBucket"
	],
	"Resource": "arn:aws:s3:::login.stage.project-name.com"
	},
	{
	"Sid": "S3 cross-account permissions Read-Write",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
	},
	"Action": [
	"s3:PutObject",
	"s3:GetObject"
	],
	"Resource": "arn:aws:s3:::login.stage.project-name.com/*"
	},
	{
	"Sid": "AddCannedAcl",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::<REMOTE ACCOUNT-ID>:root"
	},
	"Action": [
	"s3:PutObject",
	"s3:PutObjectAcl"
	],
	"Resource": "arn:aws:s3:::login.stage.project-name.com/*",
	"Condition": {
	"StringEquals": {
	"s3:x-amz-acl": "bucket-owner-full-control"
	}
	}
	}
	]
	}