Consolidate IAM policies into fewer, larger policies (#33122)
Due to IAM limits allowing at most 10 policies per group, need to reduce the number of total policies in use.
This commit is contained in:
Will Thames
Sloane Hertel
parent
0962a0d816
commit
1ca0c0e7f7
|
|
@ -36,11 +36,11 @@
|
|||
|
||||
- name: Ensure Managed IAM policies exist
|
||||
iam_managed_policy:
|
||||
policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy"
|
||||
policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy"
|
||||
policy: "{{ lookup('template', item) }}"
|
||||
state: present
|
||||
profile: "{{ profile|default(omit) }}"
|
||||
with_fileglob: "testing_policies/*"
|
||||
with_fileglob: "testing_policies/*.json"
|
||||
register: iam_managed_policies
|
||||
|
||||
- debug:
|
||||
|
|
|
|||
|
|
@ -1,33 +0,0 @@
|
|||
{# Not all Autoscaling API Actions allow specified resources #}
|
||||
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "DescribeAutoscaling",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"autoscaling:DescribeAutoScalingGroups",
|
||||
"autoscaling:DescribeLaunchConfigurations",
|
||||
"autoscaling:DescribePolicies"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowAutoscaling",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"autoscaling:CreateLaunchConfiguration",
|
||||
"autoscaling:CreateAutoScalingGroup",
|
||||
"autoscaling:UpdateAutoScalingGroup",
|
||||
"autoscaling:DeleteAutoScalingGroup",
|
||||
"autoscaling:DeleteLaunchConfiguration",
|
||||
"autoscaling:PutScalingPolicy",
|
||||
"autoscaling:DeletePolicy"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
222
hacking/aws_config/testing_policies/compute-policy.json
Normal file
222
hacking/aws_config/testing_policies/compute-policy.json
Normal file
|
|
@ -0,0 +1,222 @@
|
|||
{# Not all Autoscaling API Actions allow specified resources #}
|
||||
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "DescribeAutoscaling",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"autoscaling:DescribeAutoScalingGroups",
|
||||
"autoscaling:DescribeLaunchConfigurations",
|
||||
"autoscaling:DescribePolicies"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowAutoscaling",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"autoscaling:CreateLaunchConfiguration",
|
||||
"autoscaling:CreateAutoScalingGroup",
|
||||
"autoscaling:UpdateAutoScalingGroup",
|
||||
"autoscaling:DeleteAutoScalingGroup",
|
||||
"autoscaling:DeleteLaunchConfiguration",
|
||||
"autoscaling:PutScalingPolicy",
|
||||
"autoscaling:DeletePolicy"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
|
||||
]
|
||||
},
|
||||
{# Note that not all EC2 API Actions allow a specific resource #}
|
||||
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
|
||||
{
|
||||
"Sid": "AllowUnspecifiedEC2Resource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AllocateAddress",
|
||||
"ec2:AssociateAddress",
|
||||
"ec2:AssociateRouteTable",
|
||||
"ec2:AssociateVpcCidrBlock",
|
||||
"ec2:AssociateSubnetCidrBlock",
|
||||
"ec2:AttachInternetGateway",
|
||||
"ec2:CreateImage",
|
||||
"ec2:CreateInternetGateway",
|
||||
"ec2:CreateKeyPair",
|
||||
"ec2:CreateNatGateway",
|
||||
"ec2:CreateRoute",
|
||||
"ec2:CreateRouteTable",
|
||||
"ec2:CreateSecurityGroup",
|
||||
"ec2:CreateSnapshot",
|
||||
"ec2:CreateSubnet",
|
||||
"ec2:CreateTags",
|
||||
"ec2:CreateVpc",
|
||||
"ec2:DeleteInternetGateway",
|
||||
"ec2:DeleteKeyPair",
|
||||
"ec2:DeleteNatGateway",
|
||||
"ec2:DeleteRoute",
|
||||
"ec2:DeleteRouteTable",
|
||||
"ec2:DeleteSnapshot",
|
||||
"ec2:DeleteSubnet",
|
||||
"ec2:DeleteTags",
|
||||
"ec2:DeleteVpc",
|
||||
"ec2:DeleteTags",
|
||||
"ec2:DeregisterImage",
|
||||
"ec2:DetachInternetGateway",
|
||||
"ec2:Describe*",
|
||||
"ec2:DisassociateAddress",
|
||||
"ec2:DisassociateRouteTable",
|
||||
"ec2:ImportKeyPair",
|
||||
"ec2:ModifyImageAttribute",
|
||||
"ec2:ModifyVpcAttribute",
|
||||
"ec2:RegisterImage",
|
||||
"ec2:ReleaseAddress",
|
||||
"ec2:ReplaceRouteTableAssociation"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowSpecifiedEC2Resource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AuthorizeSecurityGroupIngress",
|
||||
"ec2:AuthorizeSecurityGroupEgress",
|
||||
"ec2:CreateTags",
|
||||
"ec2:DeleteRouteTable",
|
||||
"ec2:DeleteSecurityGroup",
|
||||
"ec2:RevokeSecurityGroupEgress",
|
||||
"ec2:RevokeSecurityGroupIngress",
|
||||
"ec2:RunInstances",
|
||||
"ec2:TerminateInstances",
|
||||
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
|
||||
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:ec2:{{aws_region}}::image/*",
|
||||
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "UnspecifiedCodeRepositories",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ecr:DescribeRepositories",
|
||||
"ecr:CreateRepository"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "SpecifiedCodeRepositories",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ecr:GetRepositoryPolicy",
|
||||
"ecr:SetRepositoryPolicy",
|
||||
"ecr:DeleteRepository",
|
||||
"ecr:DeleteRepositoryPolicy",
|
||||
"ecr:DeleteRepositoryPolicy"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
|
||||
]
|
||||
},
|
||||
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
|
||||
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
|
||||
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
|
||||
{
|
||||
"Sid": "AllowLoadBalancerOperations",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:ConfigureHealthCheck",
|
||||
"elasticloadbalancing:CreateLoadBalancer",
|
||||
"elasticloadbalancing:CreateLoadBalancerListeners",
|
||||
"elasticloadbalancing:DeleteLoadBalancer",
|
||||
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
||||
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
||||
"elasticloadbalancing:DescribeInstanceHealth",
|
||||
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
|
||||
"elasticloadbalancing:DescribeLoadBalancerTags",
|
||||
"elasticloadbalancing:DescribeLoadBalancers",
|
||||
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
|
||||
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
|
||||
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
||||
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{# Only certain lambda actions can be restricted to a specific resource #}
|
||||
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
|
||||
{
|
||||
"Sid": "AllowApiGateway",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"apigateway:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:apigateway:{{aws_region}}::/*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowGetUserForLambdaCreation",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:GetUser"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaManagementWithoutResource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"lambda:CreateEventSourceMapping",
|
||||
"lambda:GetAccountSettings",
|
||||
"lambda:GetEventSourceMapping",
|
||||
"lambda:ListEventSourceMappings",
|
||||
"lambda:ListFunctions",
|
||||
"lambda:ListTags",
|
||||
"lambda:TagResource",
|
||||
"lambda:UntagResource"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaManagementWithResource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"lambda:AddPermission",
|
||||
"lambda:CreateAlias",
|
||||
"lambda:CreateFunction",
|
||||
"lambda:DeleteAlias",
|
||||
"lambda:DeleteFunction",
|
||||
"lambda:GetAlias",
|
||||
"lambda:GetFunction",
|
||||
"lambda:GetFunctionConfiguration",
|
||||
"lambda:GetPolicy",
|
||||
"lambda:InvokeFunction",
|
||||
"lambda:ListAliases",
|
||||
"lambda:ListVersionsByFunction",
|
||||
"lambda:PublishVersion",
|
||||
"lambda:RemovePermission",
|
||||
"lambda:UpdateAlias",
|
||||
"lambda:UpdateEventSourceMapping",
|
||||
"lambda:UpdateFunctionCode",
|
||||
"lambda:UpdateFunctionConfiguration"
|
||||
],
|
||||
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaRoleManagement",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:PassRole"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
{# Note that not all EC2 API Actions allow a specific resource #}
|
||||
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowUnspecifiedEC2Resource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AllocateAddress",
|
||||
"ec2:AssociateAddress",
|
||||
"ec2:AssociateRouteTable",
|
||||
"ec2:AssociateVpcCidrBlock",
|
||||
"ec2:AssociateSubnetCidrBlock",
|
||||
"ec2:CreateImage",
|
||||
"ec2:AttachInternetGateway",
|
||||
"ec2:CreateInternetGateway",
|
||||
"ec2:CreateKeyPair",
|
||||
"ec2:CreateNatGateway",
|
||||
"ec2:CreateRoute",
|
||||
"ec2:CreateRouteTable",
|
||||
"ec2:CreateSecurityGroup",
|
||||
"ec2:CreateSnapshot",
|
||||
"ec2:CreateSubnet",
|
||||
"ec2:CreateTags",
|
||||
"ec2:CreateVpc",
|
||||
"ec2:DeleteKeyPair",
|
||||
"ec2:DeleteInternetGateway",
|
||||
"ec2:DeleteNatGateway",
|
||||
"ec2:DeleteSnapshot",
|
||||
"ec2:DeleteSubnet",
|
||||
"ec2:DeleteRoute",
|
||||
"ec2:DeleteRouteTable",
|
||||
"ec2:DeleteTags",
|
||||
"ec2:DeleteVpc",
|
||||
"ec2:DeleteTags",
|
||||
"ec2:DeregisterImage",
|
||||
"ec2:Describe*",
|
||||
"ec2:DetachInternetGateway",
|
||||
"ec2:DisassociateAddress",
|
||||
"ec2:DisassociateRouteTable",
|
||||
"ec2:ImportKeyPair",
|
||||
"ec2:ModifyImageAttribute",
|
||||
"ec2:ModifyVpcAttribute",
|
||||
"ec2:RegisterImage",
|
||||
"ec2:ReleaseAddress",
|
||||
"ec2:ReplaceRouteTableAssociation"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowSpecifiedEC2Resource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ec2:AuthorizeSecurityGroupIngress",
|
||||
"ec2:AuthorizeSecurityGroupEgress",
|
||||
"ec2:CreateTags",
|
||||
"ec2:DeleteRouteTable",
|
||||
"ec2:DeleteSecurityGroup",
|
||||
"ec2:RevokeSecurityGroupEgress",
|
||||
"ec2:RevokeSecurityGroupIngress",
|
||||
"ec2:RunInstances",
|
||||
"ec2:TerminateInstances",
|
||||
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
|
||||
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:ec2:{{aws_region}}::image/*",
|
||||
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "UnspecifiedCodeRepositories",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ecr:DescribeRepositories",
|
||||
"ecr:CreateRepository"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "SpecifiedCodeRepositories",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ecr:GetRepositoryPolicy",
|
||||
"ecr:SetRepositoryPolicy",
|
||||
"ecr:DeleteRepository",
|
||||
"ecr:DeleteRepositoryPolicy",
|
||||
"ecr:DeleteRepositoryPolicy"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
|
||||
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
|
||||
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowLoadBalancerOperations",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"elasticloadbalancing:ConfigureHealthCheck",
|
||||
"elasticloadbalancing:CreateLoadBalancer",
|
||||
"elasticloadbalancing:CreateLoadBalancerListeners",
|
||||
"elasticloadbalancing:DeleteLoadBalancer",
|
||||
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
||||
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
||||
"elasticloadbalancing:DescribeInstanceHealth",
|
||||
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
|
||||
"elasticloadbalancing:DescribeLoadBalancerTags",
|
||||
"elasticloadbalancing:DescribeLoadBalancers",
|
||||
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
|
||||
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
|
||||
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
||||
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
{# Only certain lambda actions can be restricted to a specific resource #}
|
||||
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowApiGateway",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"apigateway:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:apigateway:{{aws_region}}::/*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowGetUserForLambdaCreation",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:GetUser"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaManagementWithoutResource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"lambda:CreateEventSourceMapping",
|
||||
"lambda:GetAccountSettings",
|
||||
"lambda:GetEventSourceMapping",
|
||||
"lambda:ListEventSourceMappings",
|
||||
"lambda:ListFunctions",
|
||||
"lambda:ListTags",
|
||||
"lambda:TagResource",
|
||||
"lambda:UntagResource"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaManagementWithResource",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"lambda:AddPermission",
|
||||
"lambda:CreateAlias",
|
||||
"lambda:CreateFunction",
|
||||
"lambda:DeleteAlias",
|
||||
"lambda:DeleteFunction",
|
||||
"lambda:GetAlias",
|
||||
"lambda:GetFunction",
|
||||
"lambda:GetFunctionConfiguration",
|
||||
"lambda:GetPolicy",
|
||||
"lambda:InvokeFunction",
|
||||
"lambda:ListAliases",
|
||||
"lambda:ListVersionsByFunction",
|
||||
"lambda:PublishVersion",
|
||||
"lambda:RemovePermission",
|
||||
"lambda:UpdateAlias",
|
||||
"lambda:UpdateEventSourceMapping",
|
||||
"lambda:UpdateFunctionCode",
|
||||
"lambda:UpdateFunctionConfiguration"
|
||||
],
|
||||
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowLambdaRoleManagement",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:PassRole"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Loading…
Reference in a new issue