ansible/hacking/aws_config/testing_policies/security-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetGroup",
                "iam:GetInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroups",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:ListUsers",
                "iam:ListAccountAliases"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowReadOnlyIAMUse"
        },
        {
            "Action": [
                "iam:CreatePolicy",
                "iam:ListPolicyVersions",
                "iam:ListEntitiesForPolicy",
                "iam:DeletePolicy"
             ],
            "Resource": "arn:aws:iam::{{ aws_account }}:policy/ansible-test-*",
            "Effect": "Allow",
            "Sid": "AllowManagementOfSpecificPolicies"
        },
        {
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",
                "sts:AssumeRole"
             ],
            "Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
            "Effect": "Allow",
            "Sid": "AllowUpdateOfSpecificRoles"
        },
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile"
             ],
            "Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
            "Effect": "Allow",
            "Sid": "AllowUpdateOfSpecificInstanceProfiles"
        },
        {
            "Action": [
                "ec2:ReplaceIamInstanceProfileAssociation"
             ],
            "Resource": "*",
            "Condition": {
              "ArnEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
              }
            },
            "Effect": "Allow",
            "Sid": "AllowReplacementOfSpecificInstanceProfiles"
        },
        {
            "Sid": "AllowWAFusage",
            "Action": "waf:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowListingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
            ]
        },
        {
            "Sid": "AllowModifyingCloudtrail",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:*"
            ],
            "Resource": [
                "arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
            ]
        },
        {
            "Sid": "AllowDescribingCloudtrails",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:ListTags",
                "cloudtrail:ListPublicKeys"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowModifyingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy",
                "logs:DeleteLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
            ]
        },
        {
            "Sid": "AllowAccessToUnspecifiedKMSResources",
            "Effect": "Allow",
            "Action": [
                "kms:CancelKeyDeletion",
                "kms:CreateAlias",
                "kms:CreateGrant",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:Describe*",
                "kms:DisableKey",
                "kms:EnableKey",
                "kms:GenerateRandom",
                "kms:Get*",
                "kms:List*",
                "kms:PutKeyPolicy",
                "kms:RetireGrant",
                "kms:ScheduleKeyDeletion",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:UpdateGrant",
                "kms:UpdateKeyDescription"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAccessToServerCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:*ServerCertificates",
                "iam:*ServerCertificate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAccessToSecrets",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:*"
            ],
            "Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*"
        },
        {
            "Sid": "AllowAccessToManagePasswordPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:*AccountPasswordPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAccessToManageUsersAndGroups",
            "Effect": "Allow",
            "Action": [
                "iam:*Group",
                "iam:*User",
                "iam:ListAttachedGroupPolicies"
            ],
            "Resource": [
                "arn:aws:iam::{{ aws_account }}:user/ansible-test*",
                "arn:aws:iam::{{ aws_account }}:group/ansible-test*"
            ]
        },
        {
            "Sid": "AllowAccessToACMRestrictable",
            "Effect": "Allow",
            "Action": [
                "acm:ImportCertificate",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:AddTagsToCertificate",
                "acm:DeleteCertificate"
            ],
            "Resource": [
                "arn:aws:acm:{{aws_region}}:{{aws_account}}:certificate/*"
            ]
        },
        {
            "Sid": "AllowAccessToACMUnrestrictable",
            "Effect": "Allow",
            "Action": [
                "acm:ListCertificates",
                "acm:ListTagsForCertificate"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}