Skip to content

Instantly share code, notes, and snippets.

@miglen

miglen/iam_priviledge_escallation_deny_poilcy.json

Created December 15, 2020 17:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save miglen/87557d34be2dc02e39c40771c996a098 to your computer and use it in GitHub Desktop.
Save miglen/87557d34be2dc02e39c40771c996a098 to your computer and use it in GitHub Desktop.
Download ZIP
IAM Policy to deny API actions that could potentially allow privilege escalation.
Raw
iam_priviledge_escallation_deny_poilcy.json
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyPriviledgeEscallationActions",
"Effect": "Deny",
"Action": [
"cloudformation:CreateStack",
"codestar:AssociateTeamMember",
"codestar:CreateProject",
"codestar:CreateProjectFromTemplate",
"datapipeline:CreatePipeline",
"datapipeline:PutPipelineDefinition",
"dynamodb:CreateTable",
"dynamodb:PutItem",
"ec2:RunInstances",
"glue:CreateDevEndpoint",
"glue:UpdateDevEndpoint",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreatePolicyVersion",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateLoginProfile",
"lambda:AddPermission",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sts:AssumeRole"
],
"Resource": "*"
}]
}
@miglen
Copy link
Author

miglen commented Dec 15, 2020

Source: https://raw.githubusercontent.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation/master/README.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment