Skip to content

Commit 3976472

Browse files
author
100daysofdevops
committed
Merge branch 'master' of github.com:100daysofdevops/100daysofdevops
2 parents 9aaa859 + 3c6560b commit 3976472

12 files changed

Lines changed: 290 additions & 0 deletions

iam_policies/1-1-allow-access-to-EC2-S3.json

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "Statement1",
6+
"Effect": "Allow",
7+
"Action": [
8+
"ec2:*",
9+
"s3:*"
10+
],
11+
"Resource": "*"
12+
}
13+
]
14+
}

iam_policies/1-1-deny-access-to-EC2-S3.json

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "Statement1",
6+
"Effect": "Deny",
7+
"Action": [
8+
"ec2:*",
9+
"s3:*"
10+
],
11+
"Resource": "*"
12+
}
13+
]
14+
}

iam_policies/10-1-deny-root-access.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "VisualEditor0",
6+
"Effect": "Deny",
7+
"Action": "*",
8+
"Resource": "*",
9+
"Condition": {
10+
"StringLike": {
11+
"aws:PrincipalArn": "arn:aws:iam::*:root"
12+
}
13+
}
14+
}
15+
]
16+
}

iam_policies/2-1-allow-access-to-approved-regions.json

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "DenyAllOutsideRequestedRegions",
6+
"Effect": "Deny",
7+
"NotAction": [
8+
"ec2:*",
9+
"s3:*"
10+
],
11+
"Resource": "*",
12+
"Condition": {
13+
"StringNotEquals": {
14+
"aws:RequestedRegion": [
15+
"us-west-1",
16+
"us-west-2"
17+
]
18+
}
19+
}
20+
}
21+
]
22+
}

iam_policies/3-1-create-only-specific-type-instance.json

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "VisualEditor0",
6+
"Effect": "Deny",
7+
"Action": "ec2:RunInstances",
8+
"Resource": "arn:aws:ec2:*:*:instance/*",
9+
"Condition": {
10+
"ForAnyValue:StringNotLike": {
11+
"ec2:InstanceType": "t2.micro"
12+
}
13+
}
14+
}
15+
]

iam_policies/4-1-allowed-access-to-specific-ec2-instance.json

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "VisualEditor0",
6+
"Effect": "Allow",
7+
"Action": "ec2:*",
8+
"Resource": [
9+
"arn:aws:ec2:*:<AWS-ACCOUNT-ID>:instance/<INSTANCE-ID>"
10+
]
11+
}
12+
]
13+
}

iam_policies/5-1-iam-admin-permission-without-escalating-it.json

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "FullAdminAccess",
6+
"Effect": "Allow",
7+
"Action": "*",
8+
"Resource": "*"
9+
},
10+
{
11+
"Sid": "DenyAccessToSageMaker",
12+
"Effect": "Deny",
13+
"Action": [
14+
"sagemaker:*"
15+
],
16+
"Resource": "*"
17+
},
18+
{
19+
"Sid": "DenyIAMPolicyChanges",
20+
"Effect": "Deny",
21+
"Action": [
22+
"iam:DeletePolicy",
23+
"iam:DeletePolicyVersion",
24+
"iam:CreatePolicyVersion",
25+
"iam:SetDefaultPolicyVersion"
26+
],
27+
"Resource": [
28+
"arn:aws:iam::REPLACE-AWS-USER:policy/DemoPermissionsBoundary"
29+
]
30+
},
31+
{
32+
"Sid": "DenyRemovalOfPermBoundary",
33+
"Effect": "Deny",
34+
"Action": [
35+
"iam:DeleteUserPermissionsBoundary",
36+
"iam:DeleteRolePermissionsBoundary"
37+
],
38+
"Resource": [
39+
"arn:aws:iam::REPLACE-AWS-USER:user/*",
40+
"arn:aws:iam::REPLACE-AWS-USER:role/*"
41+
],
42+
"Condition": {
43+
"StringEquals": {
44+
"iam:PermissionsBoundary": "arn:aws:iam::REPLACE-AWS-USER:policy/DemoPermissionsBoundary"
45+
}
46+
}
47+
},
48+
{
49+
"Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingAttached",
50+
"Effect": "Deny",
51+
"Action": [
52+
"iam:PutUserPermissionsBoundary",
53+
"iam:PutRolePermissionsBoundary"
54+
],
55+
"Resource": [
56+
"arn:aws:iam::REPLACE-AWS-USER:user/*",
57+
"arn:aws:iam::REPLACE-AWS-USER:role/*"
58+
],
59+
"Condition": {
60+
"StringNotEquals": {
61+
"iam:PermissionsBoundary": "arn:aws:iam::REPLACE-AWS-USER:policy/DemoPermissionsBoundary"
62+
}
63+
}
64+
},
65+
{
66+
"Sid": "DenyUserAndRoleCreationIfPermBoundaryNotAttached",
67+
"Effect": "Deny",
68+
"Action": [
69+
"iam:CreateUser",
70+
"iam:CreateRole"
71+
],
72+
"Resource": [
73+
"arn:aws:iam::REPLACE-AWS-USER:user/*",
74+
"arn:aws:iam::REPLACE-AWS-USER:role/*"
75+
],
76+
"Condition": {
77+
"StringNotEquals": {
78+
"iam:PermissionsBoundary": "arn:aws:iam::REPLACE-AWS-USER:policy/DemoPermissionsBoundary"
79+
}
80+
}
81+
},
82+
{
83+
"Sid": "DenyIAMActions",
84+
"Effect": "Deny",
85+
"Action": "iam:PassRole",
86+
"Resource": "arn:aws:iam::REPLACE-AWS-USER:role/*"
87+
}
88+
]
89+
}

iam_policies/6-1-restrict-s3-access-from-specific-ip.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Id": "SourceIPAccess",
4+
"Statement": [
5+
{
6+
"Sid": "SourceIPAccess",
7+
"Effect": "Deny",
8+
"Principal": "*",
9+
"Action": "s3:*",
10+
"Resource": [
11+
"arn:aws:s3:::Bucket-name",
12+
"arn:aws:s3:::Bucket-name/*"
13+
],
14+
"Condition": {
15+
"NotIpAddress": {
16+
"aws:SourceIp": "<ip-address>"
17+
}
18+
}
19+
}
20+
]
21+
}

iam_policies/6-2-restrict-s3-access-from-specific-vpc-endpoint.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"Id": "VPCe",
3+
"Version": "2012-10-17",
4+
"Statement": [
5+
{
6+
"Sid": "VPCe",
7+
"Action": "s3:*",
8+
"Effect": "Deny",
9+
"Resource": [
10+
"arn:aws:s3:::example-bucket",
11+
"arn:aws:s3:::example-bucket/*"
12+
],
13+
"Condition": {
14+
"StringNotEquals": {
15+
"aws:SourceVpce": [
16+
"vpce-1111111"
17+
]
18+
}
19+
},
20+
"Principal": "*"
21+
}
22+
]
23+
}

iam_policies/7-1-allow-user-access-to-home-folder.json

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"s3:ListAllMyBuckets",
8+
"s3:GetBucketLocation"
9+
],
10+
"Resource": "*"
11+
},
12+
{
13+
"Effect": "Allow",
14+
"Action": "s3:ListBucket",
15+
"Resource": "arn:aws:s3:::<s3-bucket-name>",
16+
"Condition": {
17+
"StringLike": {
18+
"s3:prefix": [
19+
"",
20+
"home/",
21+
"home/${aws:username}/*"
22+
]
23+
}
24+
}
25+
},
26+
{
27+
"Effect": "Allow",
28+
"Action": "s3:*",
29+
"Resource": [
30+
"arn:aws:s3:::<s3-bucket-name>/home/${aws:username}",
31+
"arn:aws:s3:::<s3-bucket-name>/home/${aws:username}/*"
32+
]
33+
}
34+
]
35+
}

0 commit comments

Comments
 (0)