Skip to content

Instantly share code, notes, and snippets.

@wilsonmar

wilsonmar/gist:55694e74a06c82e83535c1350ce6a184

Last active October 12, 2021 14:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wilsonmar/55694e74a06c82e83535c1350ce6a184 to your computer and use it in GitHub Desktop.
Save wilsonmar/55694e74a06c82e83535c1350ce6a184 to your computer and use it in GitHub Desktop.
Download ZIP
snack_pentest.tf
Raw
gistfile1.txt
# pentest.tf
# This establishes permissions to S3 buckets for
variable "bucket_root_name" {
type = string
}
# Parameter in GoCD Pipeline:
variable "synack_pentest_bool" {
type = bool
}
# S3 bucket policies don't use IAM groups, so users don't need to be part of an IAM group.
resource "aws_iam_user" "synack_pentester1" {
name = "synack_pentester1"
path = "/synack_pentesters/"
}
resource "aws_iam_user" "synack_pentester2" {
name = "synack_pentester2"
path = "/synack_pentesters/"
}
resource "aws_s3_bucket" "bucket" {
bucket_prefix = "${var.bucket_root_name}"
acl = "private"
}
resource "aws_s3_bucket_policy" "bucket" {
bucket = aws_s3_bucket.bucket.id
policy = jsonencode({
Version = "2012-10-17"
Id = "synack_pentesters"
Statement = [
{
Sid = "synack_pentesters1"
Effect = var.synack_pentest_bool ? "Allow" : "Deny"
Principal = [aws_iam_user.synack_pentester1.arn, aws_iam_user.synack_pentester2.arn]
Action = ["s3:ListBucket"]
Resource = [
aws_s3_bucket.bucket.id.arn,
]
},
{
Sid = "synack_pentesters2"
Effect = var.synack_pentest_bool ? "Allow" : "Deny"
Principal = [aws_iam_user.synack_pentester1.arn, aws_iam_user.synack_pentester2.arn]
Action = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
Resource = [
"${aws_s3_bucket.bucket.id.arn}/trans/*",
]
},
{
Sid = "synack_pentesters3"
Effect = var.synack_pentest_bool ? "Allow" : "Deny"
Principal = [aws_iam_user.synack_pentester1.arn, aws_iam_user.synack_pentester2.arn]
Action = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
Resource = [
"${aws_s3_bucket.bucket.id.arn}/input/*",
]
},
{
Sid = "synack_pentesters4"
Effect = var.synack_pentest_bool ? "Allow" : "Deny"
Principal = [aws_iam_user.synack_pentester1.arn, aws_iam_user.synack_pentester2.arn]
Action = ["s3:GetObject"]
Resource = [
"${aws_s3_bucket.bucket.id.arn}/output/*",
]
},
]
})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment