mirror of
https://gitea.com/mcereda/oam.git
synced 2026-02-09 05:44:23 +00:00
247 lines
7.9 KiB
JSON
247 lines
7.9 KiB
JSON
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowViewingAccountInformation",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:GetAccountPasswordPolicy",
|
|
"iam:GetAccountSummary",
|
|
"iam:ListAccountAliases"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "AllowViewingIamDashboard",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:ListAccessKeys",
|
|
"iam:ListMFADevices"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}"
|
|
},
|
|
{
|
|
"Sid": "AllowViewingOwnSecurityCredentialsDashboard",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:GetLoginProfile",
|
|
"iam:GetMFADevice",
|
|
"iam:GetUser",
|
|
"iam:ListAccessKeys",
|
|
"iam:ListMFADevices",
|
|
"iam:ListServiceSpecificCredentials",
|
|
"iam:ListSigningCertificates",
|
|
"iam:ListSSHPublicKeys"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}"
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnConsolePassword",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:ChangePassword",
|
|
"iam:GetLoginProfile",
|
|
"iam:GetUser"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}"
|
|
},
|
|
{
|
|
"Sid": "AllowEnablingOwnMfaNonVirtualDevices",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:EnableMFADevice",
|
|
"iam:GetMFADevice",
|
|
"iam:ListMFADevices"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}"
|
|
},
|
|
{
|
|
"Sid": "AllowEnablingOwnMfaVirtualDevices",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:ListVirtualMFADevices"
|
|
],
|
|
"Resource": "arn:aws:iam::*:mfa/*"
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnUserDetails",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:GetUser",
|
|
"iam:ListUserTags"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowViewingAccessAdvisorData",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:GenerateServiceLastAccessedDetails",
|
|
"iam:GetServiceLastAccessedDetails"
|
|
],
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowViewingOwnUserPermissions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:ListAttachedUserPolicies",
|
|
"iam:ListGroupsForUser",
|
|
"iam:ListPoliciesGrantingServiceAccess",
|
|
"iam:ListUserPolicies"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnMfaNonVirtualDevices",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:DeactivateMFADevice",
|
|
"iam:EnableMFADevice",
|
|
"iam:GetMFADevice",
|
|
"iam:ListMFADevices",
|
|
"iam:ResyncMFADevice"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnMfaVirtualDevices",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:DeleteVirtualMFADevice",
|
|
"iam:ListMFADeviceTags",
|
|
"iam:ListVirtualMFADevices",
|
|
"iam:TagMFADevice",
|
|
"iam:UntagMFADevice"
|
|
],
|
|
"Resource": "arn:aws:iam::*:mfa/*",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnAccessKeys",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:CreateAccessKey",
|
|
"iam:DeleteAccessKey",
|
|
"iam:GetAccessKeyLastUsed",
|
|
"iam:ListAccessKeys",
|
|
"iam:UpdateAccessKey"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnSigningCertificates",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:DeleteSigningCertificate",
|
|
"iam:ListSigningCertificates",
|
|
"iam:UpdateSigningCertificate",
|
|
"iam:UploadSigningCertificate"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnSshPublicKeys",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:DeleteSSHPublicKey",
|
|
"iam:GetSSHPublicKey",
|
|
"iam:ListSSHPublicKeys",
|
|
"iam:UpdateSSHPublicKey",
|
|
"iam:UploadSSHPublicKey"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowManagingOwnGitCredentials",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:CreateServiceSpecificCredential",
|
|
"iam:DeleteServiceSpecificCredential",
|
|
"iam:ListServiceSpecificCredentials",
|
|
"iam:ResetServiceSpecificCredential",
|
|
"iam:UpdateServiceSpecificCredential"
|
|
],
|
|
"Resource": "arn:aws:iam::*:user/${aws:username}",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowViewingIamResources",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"access-analyzer:ListPolicyGenerations",
|
|
"iam:GetGroup",
|
|
"iam:GetOpenIDConnectProvider",
|
|
"iam:GetPolicyVersion",
|
|
"iam:GetRole",
|
|
"iam:ListAttachedRolePolicies",
|
|
"iam:ListGroups",
|
|
"iam:ListOpenIDConnectProviders",
|
|
"iam:ListPolicies",
|
|
"iam:ListRolePolicies",
|
|
"iam:ListRoles",
|
|
"iam:ListRoleTags",
|
|
"iam:ListUsers"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:access-analyzer:us-east-1:*:*",
|
|
"arn:aws:iam::*:group/*",
|
|
"arn:aws:iam::*:oidc-provider/*",
|
|
"arn:aws:iam::*:policy/*",
|
|
"arn:aws:iam::*:role/*",
|
|
"arn:aws:iam::*:user/*"
|
|
],
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|