2017-12-15 14:15:01 +01:00
|
|
|
{
|
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
|
"Statement": [
|
|
|
|
|
{
|
|
|
|
|
"Action": [
|
2018-09-18 01:53:44 +02:00
|
|
|
"iam:GetGroup",
|
2018-08-24 03:04:18 +02:00
|
|
|
"iam:GetInstanceProfile",
|
2019-06-12 16:25:54 +02:00
|
|
|
"iam:CreateInstanceProfile",
|
2017-12-15 14:15:01 +01:00
|
|
|
"iam:GetPolicy",
|
|
|
|
|
"iam:GetPolicyVersion",
|
|
|
|
|
"iam:GetRole",
|
2018-08-24 03:04:18 +02:00
|
|
|
"iam:GetRolePolicy",
|
2018-09-18 01:53:44 +02:00
|
|
|
"iam:GetUser",
|
|
|
|
|
"iam:ListAttachedGroupPolicies",
|
2017-12-15 14:15:01 +01:00
|
|
|
"iam:ListAttachedRolePolicies",
|
2018-09-18 01:53:44 +02:00
|
|
|
"iam:ListAttachedUserPolicies",
|
2017-12-15 14:15:01 +01:00
|
|
|
"iam:ListGroups",
|
2018-08-24 03:04:18 +02:00
|
|
|
"iam:ListInstanceProfiles",
|
2017-12-15 14:15:01 +01:00
|
|
|
"iam:ListInstanceProfilesForRole",
|
|
|
|
|
"iam:ListPolicies",
|
|
|
|
|
"iam:ListRoles",
|
|
|
|
|
"iam:ListRolePolicies",
|
2018-08-22 23:21:12 +02:00
|
|
|
"iam:ListUsers",
|
|
|
|
|
"iam:ListAccountAliases"
|
2017-12-15 14:15:01 +01:00
|
|
|
],
|
|
|
|
|
"Resource": "*",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Sid": "AllowReadOnlyIAMUse"
|
2018-02-02 00:16:27 +01:00
|
|
|
},
|
2019-09-20 22:26:29 +02:00
|
|
|
{
|
|
|
|
|
"Action": [
|
|
|
|
|
"iam:CreatePolicy",
|
|
|
|
|
"iam:ListPolicyVersions",
|
|
|
|
|
"iam:ListEntitiesForPolicy",
|
|
|
|
|
"iam:DeletePolicy"
|
|
|
|
|
],
|
|
|
|
|
"Resource": "arn:aws:iam::{{ aws_account }}:policy/ansible-test-*",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Sid": "AllowManagementOfSpecificPolicies"
|
|
|
|
|
},
|
2019-03-06 13:46:37 +01:00
|
|
|
{
|
|
|
|
|
"Action": [
|
|
|
|
|
"iam:AttachRolePolicy",
|
|
|
|
|
"iam:CreateRole",
|
|
|
|
|
"iam:DeleteRole",
|
2019-09-20 22:26:29 +02:00
|
|
|
"iam:DeleteRolePolicy",
|
|
|
|
|
"iam:DeleteRolePermissionsBoundary",
|
2019-03-06 13:46:37 +01:00
|
|
|
"iam:DetachRolePolicy",
|
2019-09-21 03:46:37 +02:00
|
|
|
"iam:PutRolePolicy",
|
2019-07-04 21:25:19 +02:00
|
|
|
"iam:PassRole",
|
2019-09-20 22:26:29 +02:00
|
|
|
"iam:PutRolePolicy",
|
|
|
|
|
"iam:PutRolePermissionsBoundary",
|
2019-07-04 21:25:19 +02:00
|
|
|
"iam:UpdateAssumeRolePolicy",
|
2019-09-20 22:26:29 +02:00
|
|
|
"iam:UpdateRole",
|
|
|
|
|
"iam:UpdateRoleDescription",
|
2019-07-04 21:25:19 +02:00
|
|
|
"sts:AssumeRole"
|
2019-03-06 13:46:37 +01:00
|
|
|
],
|
|
|
|
|
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Sid": "AllowUpdateOfSpecificRoles"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Action": [
|
|
|
|
|
"iam:CreateInstanceProfile",
|
|
|
|
|
"iam:DeleteInstanceProfile",
|
|
|
|
|
"iam:AddRoleToInstanceProfile",
|
|
|
|
|
"iam:RemoveRoleFromInstanceProfile"
|
|
|
|
|
],
|
|
|
|
|
"Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Sid": "AllowUpdateOfSpecificInstanceProfiles"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Action": [
|
|
|
|
|
"ec2:ReplaceIamInstanceProfileAssociation"
|
|
|
|
|
],
|
|
|
|
|
"Resource": "*",
|
|
|
|
|
"Condition": {
|
|
|
|
|
"ArnEquals": {
|
|
|
|
|
"ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Sid": "AllowReplacementOfSpecificInstanceProfiles"
|
|
|
|
|
},
|
2018-02-02 00:16:27 +01:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowWAFusage",
|
|
|
|
|
"Action": "waf:*",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Resource": "*"
|
2018-11-14 18:15:24 +01:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Sid": "AllowListingCloudwatchLogs",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"logs:DescribeLogGroups"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
|
|
|
|
|
]
|
|
|
|
|
},
|
2019-09-21 03:46:37 +02:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowModifyingCloudtrail",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"cloudtrail:*"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Sid": "AllowDescribingCloudtrails",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"cloudtrail:DescribeTrails",
|
|
|
|
|
"cloudtrail:ListTags",
|
|
|
|
|
"cloudtrail:ListPublicKeys"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"*"
|
|
|
|
|
]
|
|
|
|
|
},
|
2018-11-14 18:15:24 +01:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowModifyingCloudwatchLogs",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"logs:CreateLogGroup",
|
|
|
|
|
"logs:PutRetentionPolicy",
|
|
|
|
|
"logs:DeleteLogGroup"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
2019-09-21 03:46:37 +02:00
|
|
|
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
|
2018-11-14 18:15:24 +01:00
|
|
|
]
|
2019-05-17 02:36:14 +02:00
|
|
|
},
|
2019-06-17 20:41:20 +02:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToUnspecifiedKMSResources",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"kms:CancelKeyDeletion",
|
|
|
|
|
"kms:CreateAlias",
|
|
|
|
|
"kms:CreateGrant",
|
|
|
|
|
"kms:CreateKey",
|
|
|
|
|
"kms:DeleteAlias",
|
|
|
|
|
"kms:Describe*",
|
|
|
|
|
"kms:DisableKey",
|
|
|
|
|
"kms:EnableKey",
|
|
|
|
|
"kms:GenerateRandom",
|
|
|
|
|
"kms:Get*",
|
|
|
|
|
"kms:List*",
|
2019-08-23 12:38:38 +02:00
|
|
|
"kms:PutKeyPolicy",
|
2019-06-17 20:41:20 +02:00
|
|
|
"kms:RetireGrant",
|
|
|
|
|
"kms:ScheduleKeyDeletion",
|
|
|
|
|
"kms:TagResource",
|
|
|
|
|
"kms:UntagResource",
|
|
|
|
|
"kms:UpdateGrant",
|
|
|
|
|
"kms:UpdateKeyDescription"
|
|
|
|
|
],
|
2019-05-17 02:36:14 +02:00
|
|
|
"Resource": "*"
|
2019-06-17 20:41:20 +02:00
|
|
|
},
|
|
|
|
|
{
|
2019-07-04 21:25:19 +02:00
|
|
|
"Sid": "AllowAccessToServerCertificates",
|
2019-06-17 20:41:20 +02:00
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
2019-09-10 00:23:19 +02:00
|
|
|
"iam:*ServerCertificates",
|
|
|
|
|
"iam:*ServerCertificate"
|
2019-06-17 20:41:20 +02:00
|
|
|
],
|
2019-07-04 21:25:19 +02:00
|
|
|
"Resource": "*"
|
2019-08-22 15:25:25 +02:00
|
|
|
},
|
2019-09-10 00:23:19 +02:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToSecrets",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"secretsmanager:*"
|
|
|
|
|
],
|
|
|
|
|
"Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*"
|
|
|
|
|
},
|
2019-08-22 15:25:25 +02:00
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToManagePasswordPolicy",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
2019-09-10 00:23:19 +02:00
|
|
|
"iam:*AccountPasswordPolicy"
|
2019-08-22 15:25:25 +02:00
|
|
|
],
|
|
|
|
|
"Resource": "*"
|
2019-09-06 01:25:36 +02:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToManageUsersAndGroups",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"iam:*Group",
|
|
|
|
|
"iam:*User",
|
|
|
|
|
"iam:ListAttachedGroupPolicies"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"arn:aws:iam::{{ aws_account }}:user/ansible-test*",
|
|
|
|
|
"arn:aws:iam::{{ aws_account }}:group/ansible-test*"
|
|
|
|
|
]
|
2019-11-05 19:57:08 +01:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToACMRestrictable",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"acm:ImportCertificate",
|
|
|
|
|
"acm:DescribeCertificate",
|
|
|
|
|
"acm:GetCertificate",
|
|
|
|
|
"acm:AddTagsToCertificate",
|
|
|
|
|
"acm:DeleteCertificate"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"arn:aws:acm:{{aws_region}}:{{aws_account}}:certificate/*"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Sid": "AllowAccessToACMUnrestrictable",
|
|
|
|
|
"Effect": "Allow",
|
|
|
|
|
"Action": [
|
|
|
|
|
"acm:ListCertificates",
|
|
|
|
|
"acm:ListTagsForCertificate"
|
|
|
|
|
],
|
|
|
|
|
"Resource": [
|
|
|
|
|
"*"
|
|
|
|
|
]
|
2017-12-15 14:15:01 +01:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
