From 31c313b3ac44a69be76365eb8c8145a0d78b28da Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Fri, 13 Sep 2024 20:13:43 +0200 Subject: [PATCH] chore(examples/aws): basic iam user permissions for humans --- .../basic-iam-user-permissions.json | 246 ++++++++++++++++++ knowledge base/cloud computing/aws/iam.md | 7 +- knowledge base/pulumi.md | 7 +- 3 files changed, 258 insertions(+), 2 deletions(-) create mode 100644 examples/aws/iam.policies/basic-iam-user-permissions.json diff --git a/examples/aws/iam.policies/basic-iam-user-permissions.json b/examples/aws/iam.policies/basic-iam-user-permissions.json new file mode 100644 index 0000000..3df398d --- /dev/null +++ b/examples/aws/iam.policies/basic-iam-user-permissions.json @@ -0,0 +1,246 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowViewingAccountInformation", + "Effect": "Allow", + "Action": [ + "iam:GetAccountPasswordPolicy", + "iam:GetAccountSummary", + "iam:ListAccountAliases" + ], + "Resource": "*" + }, + { + "Sid": "AllowViewingIamDashboard", + "Effect": "Allow", + "Action": [ + "iam:ListAccessKeys", + "iam:ListMFADevices" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowViewingOwnSecurityCredentialsDashboard", + "Effect": "Allow", + "Action": [ + "iam:GetLoginProfile", + "iam:GetMFADevice", + "iam:GetUser", + "iam:ListAccessKeys", + "iam:ListMFADevices", + "iam:ListServiceSpecificCredentials", + "iam:ListSigningCertificates", + "iam:ListSSHPublicKeys" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManagingOwnConsolePassword", + "Effect": "Allow", + "Action": [ + "iam:ChangePassword", + "iam:GetLoginProfile", + "iam:GetUser" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowEnablingOwnMfaNonVirtualDevices", + "Effect": "Allow", + "Action": [ + "iam:EnableMFADevice", + "iam:GetMFADevice", + "iam:ListMFADevices" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowEnablingOwnMfaVirtualDevices", + "Effect": "Allow", + "Action": [ + "iam:CreateVirtualMFADevice", + "iam:ListVirtualMFADevices" + ], + "Resource": "arn:aws:iam::*:mfa/*" + }, + { + "Sid": "AllowManagingOwnUserDetails", + "Effect": "Allow", + "Action": [ + "iam:GetUser", + "iam:ListUserTags" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowViewingAccessAdvisorData", + "Effect": "Allow", + "Action": [ + "iam:GenerateServiceLastAccessedDetails", + "iam:GetServiceLastAccessedDetails" + ], + "Resource": "*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowViewingOwnUserPermissions", + "Effect": "Allow", + "Action": [ + "iam:ListAttachedUserPolicies", + "iam:ListGroupsForUser", + "iam:ListPoliciesGrantingServiceAccess", + "iam:ListUserPolicies" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnMfaNonVirtualDevices", + "Effect": "Allow", + "Action": [ + "iam:DeactivateMFADevice", + "iam:EnableMFADevice", + "iam:GetMFADevice", + "iam:ListMFADevices", + "iam:ResyncMFADevice" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnMfaVirtualDevices", + "Effect": "Allow", + "Action": [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:ListMFADeviceTags", + "iam:ListVirtualMFADevices", + "iam:TagMFADevice", + "iam:UntagMFADevice" + ], + "Resource": "arn:aws:iam::*:mfa/*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnAccessKeys", + "Effect": "Allow", + "Action": [ + "iam:CreateAccessKey", + "iam:DeleteAccessKey", + "iam:GetAccessKeyLastUsed", + "iam:ListAccessKeys", + "iam:UpdateAccessKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnSigningCertificates", + "Effect": "Allow", + "Action": [ + "iam:DeleteSigningCertificate", + "iam:ListSigningCertificates", + "iam:UpdateSigningCertificate", + "iam:UploadSigningCertificate" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnSshPublicKeys", + "Effect": "Allow", + "Action": [ + "iam:DeleteSSHPublicKey", + "iam:GetSSHPublicKey", + "iam:ListSSHPublicKeys", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowManagingOwnGitCredentials", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceSpecificCredential", + "iam:DeleteServiceSpecificCredential", + "iam:ListServiceSpecificCredentials", + "iam:ResetServiceSpecificCredential", + "iam:UpdateServiceSpecificCredential" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "AllowViewingIamResources", + "Effect": "Allow", + "Action": [ + "access-analyzer:ListPolicyGenerations", + "iam:GetGroup", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListGroups", + "iam:ListOpenIDConnectProviders", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListRoleTags", + "iam:ListUsers" + ], + "Resource": [ + "arn:aws:access-analyzer:us-east-1:*:*", + "arn:aws:iam::*:group/*", + "arn:aws:iam::*:oidc-provider/*", + "arn:aws:iam::*:policy/*", + "arn:aws:iam::*:role/*", + "arn:aws:iam::*:user/*" + ], + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "true" + } + } + } + ] +} diff --git a/knowledge base/cloud computing/aws/iam.md b/knowledge base/cloud computing/aws/iam.md index 179d54f..8c456d7 100644 --- a/knowledge base/cloud computing/aws/iam.md +++ b/knowledge base/cloud computing/aws/iam.md @@ -32,6 +32,10 @@ Check [aws.permissions.cloud] for a community-driven source of truth for AWS ide IAM does not expose policies' `Sid` element in the IAM API, so it can't be used to retrieve statements. +Watch out for explicit `Deny` statements, as they could prevent users from do seemingly completely unrelated things - +like accessing a Pulumi state file in a S3 bucket when an explicit `Deny` statement blocks IAM users from listing IAM +Groups when they are not logged in with MFA. + Examples:
@@ -229,7 +233,8 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890 - [Using AWS CLI Securely with IAM Roles and MFA] diff --git a/knowledge base/pulumi.md b/knowledge base/pulumi.md index 75d5926..dbadd2d 100644 --- a/knowledge base/pulumi.md +++ b/knowledge base/pulumi.md @@ -889,6 +889,8 @@ Solution: ### `Attempting to deploy or update resources with X pending operations from previous deployment` +Also see [Enable pulumi refresh to solve pending creates]. + Context: one gets this kind of warning during an `update` action. Warning message example: @@ -919,6 +921,7 @@ Solution: follow the suggestion in the warning message: - [Code examples] - [Resources reference] - [Things I wish I knew earlier about Pulumi] +- [Enable pulumi refresh to solve pending creates] ### Sources @@ -939,7 +942,8 @@ Solution: follow the suggestion in the warning message: - [`pulumi config set-all`][pulumi config set-all] @@ -962,6 +966,7 @@ Solution: follow the suggestion in the warning message: [code examples]: https://github.com/pulumi/examples [deletebeforereplace]: https://www.pulumi.com/docs/concepts/options/deletebeforereplace/ [documentation]: https://www.pulumi.com/docs/ +[enable pulumi refresh to solve pending creates]: https://github.com/pulumi/pulumi/pull/10394 [get started with pulumi policy as code]: https://www.pulumi.com/docs/using-pulumi/crossguard/get-started/ [iac recommended practices: developer stacks and git branches]: https://www.pulumi.com/blog/iac-recommended-practices-developer-stacks-git-branches/ [ignorechanges]: https://www.pulumi.com/docs/concepts/options/ignorechanges/