Last active
March 28, 2024 12:53
-
-
Save seeker815/21392a28dc9e9a335a452f0f01c4b97e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To ensure that access to `AWSCloudShellFullAccess` is restricted using Terraform, you can create IAM policies with the minimum necessary permissions and attach them to specific IAM users or groups. In this example, we will create an IAM policy that allows only essential AWS CLI actions, denying `AWSCloudShellFullAccess`. | |
| First, make sure you have the latest AWS provider version installed. You can check your current version by running: | |
| ```hcl | |
| terraform init -list-providers | |
| ``` | |
| Next, update your Terraform configuration file (e.g., `main.tf`) with the following code: | |
| ```hcl | |
| provider "aws" { | |
| version = "4.36.0" | |
| } | |
| # Replace this with your actual IAM user name or group name | |
| resource "aws_iam_user" "example_user" { | |
| name = "<your-username>" | |
| path = "/" | |
| } | |
| resource "aws_iam_group" "example_group" { | |
| name = "<your-group-name>" | |
| path = "/" | |
| managed_by = true | |
| } | |
| # Essential AWS CLI actions | |
| data "aws_iam_policy_document" "essential_cli_actions" { | |
| statement { | |
| effect = "Allow" | |
| actions = [ | |
| "sts:AssumeRole", | |
| "ec2:DescribeInstances", | |
| "s3:ListBucket", | |
| "s3:GetObject", | |
| # Add other necessary actions | |
| ] | |
| resources = ["*"] | |
| } | |
| } | |
| # Attach essential policy to the user or group | |
| resource "aws_iam_user_policy" "example_user_policy" { | |
| name = "<your-username-policy>" | |
| user = aws_iam_user.example_user.name | |
| policy = jsonencode(data.aws_iam_policy_document.essential_cli_actions.json) | |
| } | |
| resource "aws_iam_group_policy" "example_group_policy" { | |
| name = "<your-group-name-policy>" | |
| group = aws_iam_group.example_group.name | |
| policy = jsonencode(data.aws_iam_policy_document.essential_cli_actions.json) | |
| } | |
| # Deny AWSCloudShellFullAccess to the user or group | |
| resource "aws_iam_user_policy" "deny_cloudshell_fullaccess_user_policy" { | |
| name = "<your-username-deny-cloudshell>" | |
| user = aws_iam_user.example_user.name | |
| policy = jsonencode({ | |
| Version = "2012-10-17", | |
| Statement = [ | |
| { | |
| Effect = "Deny", | |
| Action = ["sts:AssumeRole"], | |
| Resource = "*:aws:cloudshell:*:*:*" | |
| }, | |
| { | |
| Effect = "Deny", | |
| Action = ["cloudwatch:*"], | |
| Resource = "*" | |
| }, | |
| # Add other denied actions related to AWSCloudShellFullAccess | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_group_policy" "deny_cloudshell_fullaccess_group_policy" { | |
| name = "<your-group-name-deny-cloudshell>" | |
| group = aws_iam_group.example_group.name | |
| policy = jsonencode({ | |
| Version = "2012-10-17", | |
| Statement = [ | |
| { | |
| Effect = "Deny", | |
| Action = ["sts:AssumeRole"], | |
| Resource = "*:aws:cloudshell:*:*:*" | |
| }, | |
| { | |
| Effect = "Deny", | |
| Action = ["cloudwatch:*"], | |
| Resource = "*" | |
| }, | |
| # Add other denied actions related to AWSCloudShellFullAccess | |
| ] | |
| }) | |
| } | |
| ``` | |
| Replace `<your-username>`, `<your-group-name>`, and the policy names with your actual values. This configuration creates an IAM user or group, attaches a minimal policy for essential AWS CLI actions, and denies access to `AWSCloudShellFullAccess`. | |
| After applying this Terraform configuration, the specified IAM user or group will only have access to the essential AWS CLI actions and be denied `AWSCloudShellFullAccess` permissions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment