brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(examples/aws): basic iam user permissions for humans

Browse Source
This commit is contained in:
Michele Cereda
2024-09-13 20:13:43 +02:00
parent f9612d4c5f
commit 31c313b3ac
3 changed files with 258 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
examples/aws/iam.policies/basic-iam-user-permissions.json Normal file
View File

@@ -0,0 +1,246 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewingAccountInformation",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListAccountAliases"
],
"Resource": "*"
},
{
"Sid": "AllowViewingIamDashboard",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListMFADevices"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowViewingOwnSecurityCredentialsDashboard",
"Effect": "Allow",
"Action": [
"iam:GetLoginProfile",
"iam:GetMFADevice",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListMFADevices",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManagingOwnConsolePassword",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetLoginProfile",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowEnablingOwnMfaNonVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowEnablingOwnMfaVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:ListVirtualMFADevices"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManagingOwnUserDetails",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListUserTags"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingAccessAdvisorData",
"Effect": "Allow",
"Action": [
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingOwnUserPermissions",
"Effect": "Allow",
"Action": [
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListUserPolicies"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnMfaNonVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnMfaVirtualDevices",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListMFADeviceTags",
"iam:ListVirtualMFADevices",
"iam:TagMFADevice",
"iam:UntagMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnSshPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowManagingOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowViewingIamResources",
"Effect": "Allow",
"Action": [
"access-analyzer:ListPolicyGenerations",
"iam:GetGroup",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListGroups",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListUsers"
],
"Resource": [
"arn:aws:access-analyzer:us-east-1:*:*",
"arn:aws:iam::*:group/*",
"arn:aws:iam::*:oidc-provider/*",
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/*",
"arn:aws:iam::*:user/*"
],
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}

7
knowledge base/cloud computing/aws/iam.md
View File

@@ -32,6 +32,10 @@ Check [aws.permissions.cloud] for a community-driven source of truth for AWS ide
IAM does not expose policies' `Sid` element in the IAM API, so it can't be used to retrieve statements. IAM does not expose policies' `Sid` element in the IAM API, so it can't be used to retrieve statements.
Watch out for explicit `Deny` statements, as they could prevent users from do seemingly completely unrelated things -
like accessing a Pulumi state file in a S3 bucket when an explicit `Deny` statement blocks IAM users from listing IAM
Groups when they are not logged in with MFA.
Examples: Examples:
<details> <details>
@@ -229,7 +233,8 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
- [Using AWS CLI Securely with IAM Roles and MFA] - [Using AWS CLI Securely with IAM Roles and MFA]
<!-- <!--
References Reference
═╬═Time══
--> -->
<!-- In-article sections --> <!-- In-article sections -->

7
knowledge base/pulumi.md
View File

@@ -889,6 +889,8 @@ Solution:
### `Attempting to deploy or update resources with X pending operations from previous deployment` ### `Attempting to deploy or update resources with X pending operations from previous deployment`
Also see [Enable pulumi refresh to solve pending creates].
Context: one gets this kind of warning during an `update` action. Context: one gets this kind of warning during an `update` action.
Warning message example: Warning message example:
@@ -919,6 +921,7 @@ Solution: follow the suggestion in the warning message:
- [Code examples] - [Code examples]
- [Resources reference] - [Resources reference]
- [Things I wish I knew earlier about Pulumi] - [Things I wish I knew earlier about Pulumi]
- [Enable pulumi refresh to solve pending creates]
### Sources ### Sources
@@ -939,7 +942,8 @@ Solution: follow the suggestion in the warning message:
- [`pulumi config set-all`][pulumi config set-all] - [`pulumi config set-all`][pulumi config set-all]
<!-- <!--
References Reference
═╬═Time══
--> -->
<!-- In-article sections --> <!-- In-article sections -->
@@ -962,6 +966,7 @@ Solution: follow the suggestion in the warning message:
[code examples]: https://github.com/pulumi/examples [code examples]: https://github.com/pulumi/examples
[deletebeforereplace]: https://www.pulumi.com/docs/concepts/options/deletebeforereplace/ [deletebeforereplace]: https://www.pulumi.com/docs/concepts/options/deletebeforereplace/
[documentation]: https://www.pulumi.com/docs/ [documentation]: https://www.pulumi.com/docs/
[enable pulumi refresh to solve pending creates]: https://github.com/pulumi/pulumi/pull/10394
[get started with pulumi policy as code]: https://www.pulumi.com/docs/using-pulumi/crossguard/get-started/ [get started with pulumi policy as code]: https://www.pulumi.com/docs/using-pulumi/crossguard/get-started/
[iac recommended practices: developer stacks and git branches]: https://www.pulumi.com/blog/iac-recommended-practices-developer-stacks-git-branches/ [iac recommended practices: developer stacks and git branches]: https://www.pulumi.com/blog/iac-recommended-practices-developer-stacks-git-branches/
[ignorechanges]: https://www.pulumi.com/docs/concepts/options/ignorechanges/ [ignorechanges]: https://www.pulumi.com/docs/concepts/options/ignorechanges/