Skip to content

Instantly share code, notes, and snippets.

@sbrinkmeyer
Last active May 22, 2017 17:39
Show Gist options
  • Save sbrinkmeyer/9b6e8ec9d081ad5c9855bf0e686c90c8 to your computer and use it in GitHub Desktop.
Save sbrinkmeyer/9b6e8ec9d081ad5c9855bf0e686c90c8 to your computer and use it in GitHub Desktop.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2NonResourceBasedPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:DeleteTags"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "ec2CreateImage",
"Condition": {
"StringLike": {
"ec2:InstanceProfile": "arn:aws:iam::968332798967:instance-profile/Lab1User-*"
}
},
"Resource": [
"*"
],
"Action": [
"ec2:CreateImage"
],
"Effect": "Allow"
},
{
"Sid": "ec2CreateSnapshot",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "Lab1User-*"
}
},
"Resource": [
"*"
],
"Action": [
"ec2:CreateSnapshot"
],
"Effect": "Allow"
},
{
"Sid": "EC2AllowInstanceActions",
"Condition": {
"StringLike": {
"ec2:InstanceProfile": "arn:aws:iam::968332798967:instance-profile/Lab1User-*"
}
},
"Resource": [
"arn:aws:ec2:us-west-2:968332798967:instance/*"
],
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Effect": "Allow"
},
{
"Sid": "EC2RunInstances",
"Condition": {
"StringLike": {
"ec2:InstanceProfile": "arn:aws:iam::968332798967:instance-profile/Lab1User-*"
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:us-west-2:968332798967:instance/*",
"Effect": "Allow"
},
{
"Sid": "EC2RunInstancesSubnet",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-west-2:968332798967:vpc/vpc-0de07068"
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:us-west-2:968332798967:subnet/*",
"Effect": "Allow"
},
{
"Sid": "EC2RemainingRunInstancePermissions",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:968332798967:volume/*",
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2::snapshot/*",
"arn:aws:ec2:us-west-2:968332798967:network-interface/*",
"arn:aws:ec2:us-west-2:968332798967:key-pair/*",
"arn:aws:ec2:us-west-2:968332798967:security-group/*"
],
"Effect": "Allow"
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-west-2:968332798967:vpc/vpc-0de07068"
}
},
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "DeniedPolicies",
"Effect": "Deny",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"*"
]
},
{
"Sid": "ListAllPolicies",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": [
"*"
]
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::968332798967:role/Lab1User-*",
"Effect": "Allow",
"Sid": "EC2IAMPassroleToInstance"
},
{
"Sid": "AllowedNSPolicies",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::968332798967:policy/Lab1User-*"
]
},
{
"Sid": "ListInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles"
],
"Resource": [
"arn:aws:iam::968332798967:instance-profile/Lab1User-*"
]
},
{
"Sid": "RolePolicyNamespaceActions",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies"
],
"Resource": [
"arn:aws:iam::968332798967:role/Lab1User-*"
],
"Condition": {
"ArnLike": {
"iam:PolicyArn": "arn:aws:iam::968332798967:policy/Lab1User*"
}
}
},
{
"Sid": "RoleNamespaceActions",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole"
],
"Resource": [
"arn:aws:iam::968332798967:role/Lab1User-*"
]
},
{
"Sid": "S3ListBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3AccessRestrictedBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::lab1user*",
"arn:aws:s3:::lab1user*/*"
]
},
{
"Sid": "IAMServerCertificatePermissions",
"Effect": "Allow",
"Action": [
"iam:UploadServerCertificate",
"iam:DeleteServerCertificate",
"iam:ListServerCertificates",
"iam:UpdateServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": "*"
},
{
"Sid": "ELBNonResourceBasedPermissions",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": "arn:aws:elasticloadbalancing:us-west-2:968332798967:loadbalancer/Lab1User*"
},
{
"Sid": "DynamoDBListPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:Describe*",
"dynamodb:List*"
],
"Resource": "arn:aws:dynamodb:us-west-2:968332798967:table/Lab1User*"
},
{
"Sid": "DynamoDBAllowPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:us-west-2:968332798967:table/Lab1User*"
},
{
"Action": [
"autoscaling:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoscalingNonResourceBasedPermissions"
},
{
"Action": [
"tag:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ResourceTaggingPermissions"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment