Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ellerbrock/aws-iam-resources
:key: Collection of useful AWS IAM Resources & Policies
https://github.com/ellerbrock/aws-iam-resources
aws cloud cybersecurity iam identity-management infosec policy secops
Last synced: about 2 months ago
JSON representation
:key: Collection of useful AWS IAM Resources & Policies
- Host: GitHub
- URL: https://github.com/ellerbrock/aws-iam-resources
- Owner: ellerbrock
- Created: 2018-04-04T11:32:54.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2019-05-16T05:02:40.000Z (over 5 years ago)
- Last Synced: 2024-05-29T06:11:08.850Z (4 months ago)
- Topics: aws, cloud, cybersecurity, iam, identity-management, infosec, policy, secops
- Homepage:
- Size: 27.3 KB
- Stars: 21
- Watchers: 6
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
README
# Collection of useful AWS IAM Resources & Policies [](https://travis-ci.org/ellerbrock/aws-iam-resources)
## Links
- [IAM Policy Simulator](https://policysim.aws.amazon.com/home/index.jsp)
- [Policy Generator](https://awspolicygen.s3.amazonaws.com/policygen.html)
- [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)
- [Policies Variables](https://docs.aws.amazon.com/de_de/IAM/latest/UserGuide/reference_policies_variables.html)
- [MFA API Protection](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)
- [MFA S3 Delete](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete)
- [S3 Bucket Policies](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html)
- [IAM Slack Notification](https://github.com/Signiant/aws-iam-slack-notifer)
- [Envelope Encryption](https://docs.aws.amazon.com/kms/latest/developerguide/workflow.html)
- [Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html)
## Policies
### S3 Only Allow Access from Users / Role
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"NotPrincipal": {"AWS": [
"arn:aws:sts::444455556666:assumed-role/cross-account-read-only-role/cross-account-audit-app",
"arn:aws:iam::444455556666:role/cross-account-read-only-role",
"arn:aws:iam::444455556666:root"
]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Bucket_AccountAudit",
"arn:aws:s3:::Bucket_AccountAudit/*"
]
}]
}
```
Source:
### S3 Bucket Policy to Only Allow Encrypted Object Uploads
```json
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": true
}
}
}
]
}
```
Source:
### Restrict S3 Bucket Access from VPC Endpoint
```json
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
```
Source:
### Restrict S3 Bucket Access from VPC
```json
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
```
Source:
### Granting Access After Recent MFA Authentication (GetSessionToken)
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": ["*"],
"Condition": {"NumericLessThan": {"aws:MultiFactorAuthAge": "3600"}}
}]
}
```
Source:
### Denying Access to Specific APIs Without Valid MFA Authentication (GetSessionToken)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActionsForEC2",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "DenyStopAndTerminateWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}
]
}
```
Source:
### Denying Access to Specific APIs Without Recent Valid MFA Authentication (GetSessionToken)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllActionsForEC2",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "DenyStopAndTerminateWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
},
{
"Sid": "DenyStopAndTerminateWhenMFAIsOlderThanOneHour",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {"NumericGreaterThanIfExists": {"aws:MultiFactorAuthAge": "3600"}}
}
]
}
```
Source:
### Granting an IAM User Permission to Pass an IAM Role to an Instance
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
```
Source:
### Denying Using a STS Rolle Without Valid MFA Authentication
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
```
### IP restriction but allow User to switch Role
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotAction": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"123.123.123.123/24"
]
}
}
}
]
}
```
### Denies Access to AWS Based on the Source IP
```json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
}
}
```
Source:
### Limit KMS Key Usage for defined Services only
*In this example allow KMS usage only for EBS and RDS.*
```json
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
}
```
Source:
### Grant Permissions to AWS Service Catalog End Users
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
}
]
}
```
Source:
### Limit Pushes and Merges to Branches in AWS CodeCommit
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/prod"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
```
Source: