cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/hacking/aws_config/testing_policies/security-policy.json
Mark Chappell 77e4371460 aws_kms: Update policy on existing keys (when passed) (#60059) 
* aws_kms: (integration tests) Use module_defaults to reduce the copy and paste

* aws_kms: (integration tests) make sure policy option functions.

* aws_kms: (integration tests) Move iam_role creation to start of playbook.

iam_roles aren't fully created when iam_role completes, there's a delay on the Amazon side before they're fully recognised.

* aws_kms: Update policy on existing keys (when passed)
2019-08-23 20:38:38 +10:00

144 lines
4.6 KiB
JSON
Raw Blame History

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetGroup",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListUsers",
"iam:ListAccountAliases"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyIAMUse"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:PassRole",
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificRoles"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificInstanceProfiles"
},
{
"Action": [
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
}
},
"Effect": "Allow",
"Sid": "AllowReplacementOfSpecificInstanceProfiles"
},
{
"Sid": "AllowWAFusage",
"Action": "waf:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowListingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
]
},
{
"Sid": "AllowModifyingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
]
},
{
"Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:DisableKey",
"kms:EnableKey",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateGrant",
"kms:UpdateKeyDescription"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:UploadServerCertificate",
"iam:UpdateServerCertificate",
"iam:DeleteServerCertificate",
"iam:GetServerCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToManagePasswordPolicy",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:DeleteAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": "*"
}
]
}
Reference in a new issue View git blame Copy permalink