-
Notifications
You must be signed in to change notification settings - Fork 12
/
example-aws-federation-account-iam-groups.yaml
137 lines (125 loc) · 4.46 KB
/
example-aws-federation-account-iam-groups.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
AWSTemplateFormatVersion: '2010-09-09'
Description:
This is a sample template to help folks get started on AWS Cross Account Roles. By default all of the users in these groups only
have IAM permissions to self manage IAM (password, Enable MFA, etc) and assume others (privilege escalation). MFA must be enable
to escalate privileges.
Resources:
DeveloperGroup:
Type: AWS::IAM::Group
Properties:
GroupName: DeveloperGroup
ManagedPolicyArns: [!Ref IAMSelfManagePolicy,
!Ref AssumeReadOnlyRolePolicy,
!Ref AssumeDeveloperRolePolicy]
NetworkAdminGroup:
Type: AWS::IAM::Group
Properties:
GroupName: NetworkAdminGroup
ManagedPolicyArns: [!Ref IAMSelfManagePolicy,
!Ref AssumeReadOnlyRolePolicy,
!Ref AssumeNetworkAdminRolePolicy]
AWSAdminGroup:
Type: AWS::IAM::Group
Properties:
GroupName: AWSAdminGroup
ManagedPolicyArns: [!Ref IAMSelfManagePolicy,
!Ref AssumeReadOnlyRolePolicy,
!Ref AssumeAWSAdminRolePolicy]
IAMSelfManagePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: IAMSelfManagePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: [
"iam:*AccessKey*",
"iam:*SSHPublicKey*",
"iam:*LoginProfile",
"iam:ChangePassword"
]
Resource: !Join [ "", [ 'arn:aws:iam:', !Sub ':${AWS::AccountId}:', 'user/${aws:username}'] ]
- Effect: Allow
Action: [
"iam:GetAccountPasswordPolicy",
"iam:ListAccount*",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:GetAccountSummary"]
Resource: '*'
- Effect: Allow
Action: [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"]
Resource: !Join [ "", [ 'arn:aws:iam:', !Sub ':${AWS::AccountId}:', 'user/${aws:username}'] ]
- Effect: Allow
Action: [
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice"]
Resource: [
!Join [ "", [ 'arn:aws:iam:', !Sub ':${AWS::AccountId}:', 'user/${aws:username}'] ],
!Join [ "", [ 'arn:aws:iam:', !Sub ':${AWS::AccountId}:', 'mfa/${aws:username}'] ]
]
AssumeDeveloperRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AssumeDeveloperRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: [
"sts:AssumeRole"
]
Resource: !Join [ "", [ 'arn:aws:iam::', '*', ':role/DeveloperRole'] ]
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'true'
AssumeReadOnlyRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AssumeReadOnlyRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: [
"sts:AssumeRole"
]
Resource: !Join [ "", [ 'arn:aws:iam::', '*', ':role/ReadOnlyRole'] ]
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'true'
AssumeNetworkAdminRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AssumeNetworkAdminRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: [
"sts:AssumeRole"
]
Resource: !Join [ "", [ 'arn:aws:iam::', '*', ':role/NetworkAdminRole'] ]
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'true'
AssumeAWSAdminRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AssumeAWSAdminRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: [
"sts:AssumeRole"
]
Resource: !Join [ "", [ 'arn:aws:iam::', '*', ':role/AWSAdminRole'] ]
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'true'