Skip to content

Instantly share code, notes, and snippets.

@kmcquade

kmcquade/input-serverless-iam-user.yml

Last active October 30, 2020 13:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kmcquade/b3c422ba93bcdb3125e510859f06acec to your computer and use it in GitHub Desktop.
Save kmcquade/b3c422ba93bcdb3125e510859f06acec to your computer and use it in GitHub Desktop.
Download ZIP
Policy Sentry template to deploy full stack serverless app (Lambda functions, API Gateway, CloudFront distribution, and S3 objects)cat
Raw
input-serverless-iam-user.yml
mode: crud
name: 'ServerlessAppDeployAutomationUser'
# Specify resource ARNs
read:
- 'arn:aws:execute-api:*:*:*/*/*/*'
- 'arn:aws:lambda:*:*:function:cloudsplaining-*'
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
- 'arn:aws:cloudfront::*:distribution/mydistributionid'
write:
- 'arn:aws:execute-api:*:*:*/*/*/*'
- 'arn:aws:lambda:*:*:function:cloudsplaining-*'
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
- 'arn:aws:cloudfront::*:distribution/mydistributionid'
list:
- 'arn:aws:execute-api:*:*:*/*/*/*'
- 'arn:aws:lambda:*:*:function:cloudsplaining-*'
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
- 'arn:aws:cloudfront::*:distribution/mydistributionid'
tagging:
- 'arn:aws:lambda:*:*:function:cloudsplaining-*'
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
- 'arn:aws:cloudfront::*:distribution/mydistributionid'
permissions-management:
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
# Actions that do not support resource constraints
wildcard-only:
single-actions: # standalone actions
- ''
# Service-wide - like 's3' or 'ec2'
service-read:
- 's3'
- 'cloudfront'
service-write:
- ''
# TODO: Might need to include Cloudfront here??
service-list:
- 'lambda'
- 's3'
- 'cloudfront'
service-tagging:
- ''
service-permissions-management:
- ''
# Skip resource constraint requirements by listing actions here.
skip-resource-constraints:
- ''
# Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete*
exclude-actions:
- 'lambda:Delete*'
- 'lambda:AddPermission'
- 'lambda:RemovePermission'
Raw
output-serverless-iam-user.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MultMultNone",
"Effect": "Allow",
"Action": [
"cloudfront:getca*",
"cloudfront:getf*",
"cloudfront:geto*",
"cloudfront:getp*",
"cloudfront:listc*",
"cloudfront:listd*",
"cloudfront:listf*",
"cloudfront:listo*",
"cloudfront:listp*",
"cloudfront:lists*",
"lambda:liste*",
"lambda:listfunctions",
"lambda:listl*",
"s3:getaccesspoint",
"s3:getacco*",
"s3:lista*",
"s3:listj*"
],
"Resource": [
"*"
]
},
{
"Sid": "LambdaMultFunctioncloudsplaining",
"Effect": "Allow",
"Action": [
"lambda:getal*",
"lambda:getf*",
"lambda:getpo*",
"lambda:listt*",
"lambda:createa*",
"lambda:createf*",
"lambda:i*",
"lambda:publishv*",
"lambda:putf*",
"lambda:updatea*",
"lambda:updatef*",
"lambda:lista*",
"lambda:listfunctione*",
"lambda:listp*",
"lambda:listv*",
"lambda:t*",
"lambda:un*"
],
"Resource": [
"arn:aws:lambda:*:*:function:cloudsplaining-*"
]
},
{
"Sid": "S3MultCloudsplainingserverless",
"Effect": "Allow",
"Action": [
"s3:geto*",
"s3:a*",
"s3:deleteobject",
"s3:deleteobjectversion",
"s3:putobject",
"s3:putobjectl*",
"s3:putobjectr*",
"s3:replicated*",
"s3:replicateo*",
"s3:res*",
"s3:listm*",
"s3:deleteobjectt*",
"s3:deleteobjectversiont*",
"s3:putobjectt*",
"s3:putobjectversiont*",
"s3:replicatet*",
"s3:b*",
"s3:o*",
"s3:putobjecta*",
"s3:putobjectversiona*"
],
"Resource": [
"arn:aws:s3:::cloudsplaining-serverless-*/*"
]
},
{
"Sid": "CloudfrontMultDistributionmydistributionid",
"Effect": "Allow",
"Action": [
"cloudfront:getd*",
"cloudfront:geti*",
"cloudfront:listt*",
"cloudfront:created*",
"cloudfront:createi*",
"cloudfront:deleted*",
"cloudfront:updated*",
"cloudfront:listi*",
"cloudfront:t*",
"cloudfront:un*"
],
"Resource": [
"arn:aws:cloudfront::*:distribution/mydistributionid"
]
},
{
"Sid": "ExecuteapiWriteExecuteapigeneral",
"Effect": "Allow",
"Action": [
"execute-api:i*",
"execute-api:m*"
],
"Resource": [
"arn:aws:execute-api:*:*:*/*/*/*"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment