ansible/hacking/aws_config/testing_policies/security-policy.json

201 lines
6.3 KiB
JSON
Raw Normal View History

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetGroup",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListUsers",
"iam:ListAccountAliases"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyIAMUse"
},
{
"Action": [
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:ListEntitiesForPolicy",
"iam:DeletePolicy"
],
"Resource": "arn:aws:iam::{{ aws_account }}:policy/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowManagementOfSpecificPolicies"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteRolePermissionsBoundary",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificRoles"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificInstanceProfiles"
},
{
"Action": [
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
}
},
"Effect": "Allow",
"Sid": "AllowReplacementOfSpecificInstanceProfiles"
},
{
"Sid": "AllowWAFusage",
"Action": "waf:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowListingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
]
},
{
"Sid": "AllowModifyingCloudtrail",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
],
"Resource": [
"arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
]
},
{
"Sid": "AllowDescribingCloudtrails",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:ListTags",
"cloudtrail:ListPublicKeys"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowModifyingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
]
},
{
"Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:DisableKey",
"kms:EnableKey",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateGrant",
"kms:UpdateKeyDescription"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
"iam:*ServerCertificates",
"iam:*ServerCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:*"
],
"Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*"
},
{
"Sid": "AllowAccessToManagePasswordPolicy",
"Effect": "Allow",
"Action": [
"iam:*AccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToManageUsersAndGroups",
"Effect": "Allow",
"Action": [
"iam:*Group",
"iam:*User",
"iam:ListAttachedGroupPolicies"
],
"Resource": [
"arn:aws:iam::{{ aws_account }}:user/ansible-test*",
"arn:aws:iam::{{ aws_account }}:group/ansible-test*"
]
}
]
}