{"id":13820655,"url":"https://github.com/ellerbrock/aws-iam-resources","last_synced_at":"2025-04-14T01:21:13.487Z","repository":{"id":71783012,"uuid":"128053050","full_name":"ellerbrock/aws-iam-resources","owner":"ellerbrock","description":":key: Collection of useful AWS IAM Resources \u0026 Policies","archived":false,"fork":false,"pushed_at":"2019-05-16T05:02:40.000Z","size":28,"stargazers_count":22,"open_issues_count":0,"forks_count":4,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-27T15:21:23.591Z","etag":null,"topics":["aws","cloud","cybersecurity","iam","identity-management","infosec","policy","secops"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ellerbrock.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-04T11:32:54.000Z","updated_at":"2024-07-06T06:46:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"e1daeeef-4e07-4504-8eee-35eed747aa56","html_url":"https://github.com/ellerbrock/aws-iam-resources","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerbrock%2Faws-iam-resources","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerbrock%2Faws-iam-resources/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerbrock%2Faws-iam-resources/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerbrock%2Faws-iam-resources/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ellerbrock","download_url":"https://codeload.github.com/ellerbrock/aws-iam-resources/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248805418,"owners_count":21164327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud","cybersecurity","iam","identity-management","infosec","policy","secops"],"created_at":"2024-08-04T08:01:06.676Z","updated_at":"2025-04-14T01:21:13.460Z","avatar_url":"https://github.com/ellerbrock.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"![aws-iam-policies](https://s3-us-west-1.amazonaws.com/www.jcolemorrison.com/blog/posts/iam-nutshells-3-22-2017/post-head-white.png)\n\n# Collection of useful AWS IAM Resources \u0026 Policies [![Build Status](https://travis-ci.org/ellerbrock/aws-iam-resources.svg?branch=master)](https://travis-ci.org/ellerbrock/aws-iam-resources)\n\n## Links\n\n- [IAM Policy Simulator](https://policysim.aws.amazon.com/home/index.jsp)\n- [Policy Generator](https://awspolicygen.s3.amazonaws.com/policygen.html)\n- [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)\n- [Policies Variables](https://docs.aws.amazon.com/de_de/IAM/latest/UserGuide/reference_policies_variables.html)\n- [MFA API Protection](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)\n- [MFA S3 Delete](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete)\n- [S3 Bucket Policies](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html)\n- [IAM Slack Notification](https://github.com/Signiant/aws-iam-slack-notifer)\n- [Envelope Encryption](https://docs.aws.amazon.com/kms/latest/developerguide/workflow.html)\n- [Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html)\n\n## Policies\n\n### S3 Only Allow Access from Users / Role\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [{\n        \"Effect\": \"Deny\",\n        \"NotPrincipal\": {\"AWS\": [\n            \"arn:aws:sts::444455556666:assumed-role/cross-account-read-only-role/cross-account-audit-app\",\n            \"arn:aws:iam::444455556666:role/cross-account-read-only-role\",\n            \"arn:aws:iam::444455556666:root\"\n        ]},\n        \"Action\": \"s3:*\",\n        \"Resource\": [\n            \"arn:aws:s3:::Bucket_AccountAudit\",\n            \"arn:aws:s3:::Bucket_AccountAudit/*\"\n        ]\n    }]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html#specifying-notprincipal\u003e\n\n### S3 Bucket Policy to Only Allow Encrypted Object Uploads\n\n```json\n{\n     \"Version\": \"2012-10-17\",\n     \"Id\": \"PutObjPolicy\",\n     \"Statement\": [\n           {\n                \"Sid\": \"DenyIncorrectEncryptionHeader\",\n                \"Effect\": \"Deny\",\n                \"Principal\": \"*\",\n                \"Action\": \"s3:PutObject\",\n                \"Resource\": \"arn:aws:s3:::\u003cbucket_name\u003e/*\",\n                \"Condition\": {\n                        \"StringNotEquals\": {\n                               \"s3:x-amz-server-side-encryption\": \"AES256\"\n                         }\n                }\n           },\n           {\n                \"Sid\": \"DenyUnEncryptedObjectUploads\",\n                \"Effect\": \"Deny\",\n                \"Principal\": \"*\",\n                \"Action\": \"s3:PutObject\",\n                \"Resource\": \"arn:aws:s3:::\u003cbucket_name\u003e/*\",\n                \"Condition\": {\n                        \"Null\": {\n                               \"s3:x-amz-server-side-encryption\": true\n                        }\n               }\n           }\n     ]\n }\n```\n\nSource: \u003chttps://aws.amazon.com/de/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/\u003e\n\n\n### Restrict S3 Bucket Access from VPC Endpoint\n\n```json\n{\n   \"Version\": \"2012-10-17\",\n   \"Id\": \"Policy1415115909152\",\n   \"Statement\": [\n     {\n       \"Sid\": \"Access-to-specific-VPCE-only\",\n       \"Principal\": \"*\",\n       \"Action\": \"s3:*\",\n       \"Effect\": \"Deny\",\n       \"Resource\": [\"arn:aws:s3:::examplebucket\",\n                    \"arn:aws:s3:::examplebucket/*\"],\n       \"Condition\": {\n         \"StringNotEquals\": {\n           \"aws:sourceVpce\": \"vpce-1a2b3c4d\"\n         }\n       }\n     }\n   ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-accesss-vpc-endpoint\u003e\n\n\n### Restrict S3 Bucket Access from VPC\n\n```json\n{\n   \"Version\": \"2012-10-17\",\n   \"Id\": \"Policy1415115909153\",\n   \"Statement\": [\n     {\n       \"Sid\": \"Access-to-specific-VPC-only\",\n       \"Principal\": \"*\",\n       \"Action\": \"s3:*\",\n       \"Effect\": \"Deny\",\n       \"Resource\": [\"arn:aws:s3:::examplebucket\",\n                    \"arn:aws:s3:::examplebucket/*\"],\n       \"Condition\": {\n         \"StringNotEquals\": {\n           \"aws:sourceVpc\": \"vpc-111bbb22\"\n         }\n       }\n     }\n   ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc\u003e\n\n### Granting Access After Recent MFA Authentication (GetSessionToken)\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [{\n    \"Effect\": \"Allow\",\n    \"Action\": [\"ec2:*\"],\n    \"Resource\": [\"*\"],\n    \"Condition\": {\"NumericLessThan\": {\"aws:MultiFactorAuthAge\": \"3600\"}}\n  }]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html#ExampleMFAforIAMUserAge\u003e\n\n\n### Denying Access to Specific APIs Without Valid MFA Authentication (GetSessionToken)\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"AllowAllActionsForEC2\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"ec2:*\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"DenyStopAndTerminateWhenMFAIsNotPresent\",\n      \"Effect\": \"Deny\",\n      \"Action\": [\n        \"ec2:StopInstances\",\n        \"ec2:TerminateInstances\"\n      ],\n      \"Resource\": \"*\",\n      \"Condition\": {\"BoolIfExists\": {\"aws:MultiFactorAuthPresent\": false}}\n    }\n  ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html#ExampleMFAforResource\u003e\n\n\n### Denying Access to Specific APIs Without Recent Valid MFA Authentication (GetSessionToken)\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"AllowAllActionsForEC2\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"ec2:*\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"DenyStopAndTerminateWhenMFAIsNotPresent\",\n      \"Effect\": \"Deny\",\n      \"Action\": [\n        \"ec2:StopInstances\",\n        \"ec2:TerminateInstances\"\n      ],\n      \"Resource\": \"*\",\n      \"Condition\": {\"BoolIfExists\": {\"aws:MultiFactorAuthPresent\": false}}\n    },\n    {\n      \"Sid\": \"DenyStopAndTerminateWhenMFAIsOlderThanOneHour\",\n      \"Effect\": \"Deny\",\n      \"Action\": [\n        \"ec2:StopInstances\",\n        \"ec2:TerminateInstances\"\n      ],\n      \"Resource\": \"*\",\n      \"Condition\": {\"NumericGreaterThanIfExists\": {\"aws:MultiFactorAuthAge\": \"3600\"}}\n    }\n  ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html#ExampleMFADenyNotRecent\u003e\n\n\n### Granting an IAM User Permission to Pass an IAM Role to an Instance\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n         \"ec2:RunInstances\",\n         \"ec2:AssociateIamInstanceProfile\",\n         \"ec2:ReplaceIamInstanceProfileAssociation\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"iam:PassRole\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#permission-to-pass-iam-roles\u003e\n\n\n### Denying Using a STS Rolle Without Valid MFA Authentication\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::\u003cACCOUNT_ID\u003e:\u003cUSERNAME\u003e\"\n      },\n      \"Action\": \"sts:AssumeRole\",\n      \"Condition\": {\n        \"Bool\": {\n          \"aws:MultiFactorAuthPresent\": \"true\"\n        }\n      }\n    }\n  ]\n}\n```\n\n\n### IP restriction but allow User to switch Role\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Deny\",\n            \"NotAction\": \"sts:AssumeRole\",\n            \"Resource\": \"*\",\n            \"Condition\": {\n                \"NotIpAddress\": {\n                     \"aws:SourceIp\": [\n                         \"123.123.123.123/24\"\n                     ]\n                }\n             }\n         }\n     ]\n}\n```\n\n\n### Denies Access to AWS Based on the Source IP\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": {\n        \"Effect\": \"Deny\",\n        \"Action\": \"*\",\n        \"Resource\": \"*\",\n        \"Condition\": {\n            \"NotIpAddress\": {\n                \"aws:SourceIp\": [\n                    \"192.0.2.0/24\",\n                    \"203.0.113.0/24\"\n                ]\n            }\n        }\n    }\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html\u003e\n\n\n### Limit KMS Key Usage for defined Services only\n\n*In this example allow KMS usage only for EBS and RDS.*\n\n```json\n{\n  \"Effect\": \"Allow\",\n  \"Principal\": {\n    \"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"\n  },\n  \"Action\": [\n    \"kms:Encrypt\",\n    \"kms:Decrypt\",\n    \"kms:ReEncrypt*\",\n    \"kms:GenerateDataKey*\",\n    \"kms:CreateGrant\",\n    \"kms:ListGrants\",\n    \"kms:DescribeKey\"\n  ],\n  \"Resource\": \"*\",\n  \"Condition\": {\n    \"StringEquals\": {\n      \"kms:ViaService\": [\n        \"ec2.us-west-2.amazonaws.com\",\n        \"rds.us-west-2.amazonaws.com\"\n      ]\n    }\n  }\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service\u003e\n\n\n### Grant Permissions to AWS Service Catalog End Users\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"servicecatalog:ProvisionProduct\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-iamenduser.html\u003e\n\n### Limit Pushes and Merges to Branches in AWS CodeCommit\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Deny\",\n            \"Action\": [\n                \"codecommit:GitPush\",\n                \"codecommit:DeleteBranch\",\n                \"codecommit:PutFile\",\n                \"codecommit:MergePullRequestByFastForward\"\n            ],\n            \"Resource\": \"arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo\",\n            \"Condition\": {\n                \"StringEqualsIfExists\": {\n                    \"codecommit:References\": [\n                        \"refs/heads/master\", \n                        \"refs/heads/prod\"\n                     ]\n                },\n                \"Null\": {\n                    \"codecommit:References\": false\n                }\n            }\n        }\n    ]\n}\n```\n\nSource: \u003chttps://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html\u003e\n\n\n\u003c!--\n\n### \n\n```json\n```\n\nSource: \u003c\u003e\n\n--\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellerbrock%2Faws-iam-resources","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fellerbrock%2Faws-iam-resources","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellerbrock%2Faws-iam-resources/lists"}