brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(examples/aws): basic iam user permissions for humans

Browse Source
This commit is contained in:
Michele Cereda
2024-09-13 20:13:43 +02:00
parent f9612d4c5f
commit 31c313b3ac
3 changed files with 258 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
examples/aws/iam.policies/basic-iam-user-permissions.json Normal file
View File

@@ -0,0 +1,246 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewingAccountInformation",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListAccountAliases"
],
"Resource": "*"
},
{
"Sid": "AllowViewingIamDashboard",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListMFADevices"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowViewingOwnSecurityCredentialsDashboard",
"Effect": "Allow",
"Action": [
"iam:GetLoginProfile",
"iam:GetMFADevice",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListMFADevices",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManagingOwnConsolePassword",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetLoginProfile",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowEnablingOwnMfaNonVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowEnablingOwnMfaVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:ListVirtualMFADevices"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManagingOwnUserDetails",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListUserTags"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingAccessAdvisorData",
"Effect": "Allow",
"Action": [
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingOwnUserPermissions",
"Effect": "Allow",
"Action": [
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListUserPolicies"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnMfaNonVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnMfaVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListMFADeviceTags",
"iam:ListVirtualMFADevices",
"iam:TagMFADevice",
"iam:UntagMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnSshPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingIamResources",
"Effect": "Allow",
"Action": [
"access-analyzer:ListPolicyGenerations",
"iam:GetGroup",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListGroups",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListUsers"
],
"Resource": [
"arn:aws:access-analyzer:us-east-1:*:*",
"arn:aws:iam::*:group/*",
"arn:aws:iam::*:oidc-provider/*",
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/*",
"arn:aws:iam::*:user/*"
],
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}