Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
社外の開発メンバーに付与するAWS IAMポリシーの例
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"organizations:*",
"sso:*",
"sso-directory:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DetachGroupPolicy",
"iam:PutGroupPolicy",
"iam:CreateUser",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPolicy",
"iam:RemoveUserFromGroup"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy*"
],
"Resource": "arn:aws:iam::*:policy/Administrator*"
},
{
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws:iam::*:policy/Administrator*"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice"
],
"NotResource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Effect": "Deny",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:UpdateAccessKey",
"iam:ChangePassword",
"iam:DeleteLoginProfile",
"iam:UpdateLoginProfile",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"NotResource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Effect": "Deny",
"Action": [
"aws-portal:*Account",
"aws-portal:ModifyBilling",
"aws-portal:*PaymentMethods",
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"config:Delete*",
"config:StopConfigurationRecorder"
],
"Resource": "*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.