From 3109ec19398ace591d6b42734150b57f51fb57db Mon Sep 17 00:00:00 2001 From: Cameron Bates Date: Thu, 26 Jun 2025 10:58:54 -0400 Subject: [PATCH] Replace policy with external links --- .../iam-resources/aws-console.md | 329 +----------------- 1 file changed, 2 insertions(+), 327 deletions(-) diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md index 8451e29938..6ec47dbfa9 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md @@ -29,82 +29,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw - In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsInstanceRolePolicy.json policy file: {{< scrollable-code >}} -```js -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeReadOnlyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeRegions", - "ec2:DescribeSecurityGroups", - "ec2:DescribeTags", - "ec2:DescribeVolumes" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "EC2EBSActions", - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:CreateVolume" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "SecurityGroupAccessActions", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "TagResourcesCreation", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "TagResourcesDelete", - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - } - ] -} -``` +{{< external-json "https://raw.githubusercontent.com/Redislabs-Solution-Architects/cloudformation-aws-Redislabs-Cloud-Account-IAM-Resources/refs/heads/master/RedisLabsInstanceRolePolicy.json" >}} {{< /scrollable-code >}} - In **Review and Create**, enter `RedisLabsInstanceRolePolicy` in the **Policy name** field. @@ -135,257 +60,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw - In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file: {{< scrollable-code >}} -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeReadOnlyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeRegions", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeRouteTables", - "ec2:DescribeInternetGateways", - "ec2:DescribeImages", - "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeKeyPairs", - "ec2:DescribeTransitGateways", - "ec2:DescribeInstanceStatus", - "ec2:DescribeNetworkAcls" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchReadOnly", - "Effect": "Allow", - "Action": [ - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*" - ], - "Resource": "*" - }, - { - "Sid": "IamUserOperations", - "Effect": "Allow", - "Action": [ - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ChangePassword" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "RolePolicyUserReadActions", - "Action": [ - "iam:GetRole", - "iam:GetPolicy", - "iam:ListUsers", - "iam:ListPolicies", - "iam:ListRolePolicies", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:SimulatePrincipalPolicy" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "PassRlClusterNodeRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" - }, - { - "Sid": "CreateEc2ResourcesWithoutTag", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:RunInstances", - "ec2:ImportKeyPair", - "ec2:CreateKeyPair", - "ec2:CreateVpc", - "ec2:CreateSecurityGroup", - "ec2:CreateInternetGateway", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:CreateSnapshot", - "ec2:CreateTransitGateway", - "ec2:AssociateVpcCidrBlock", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:AttachInternetGateway", - "ec2:ReplaceRoute" - ], - "Resource": "*" - }, - { - "Sid": "ForceUnderlyingResourcesToHaveIdentifierTags", - "Effect": "Deny", - "Action": [ - "ec2:RunInstances", - "ec2:CreateKeyPair" - ], - "Resource": [ - "arn:aws:ec2:*:*:instance/*", - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:keypair/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/RedisLabsIdentifier": "true" - } - } - }, - { - "Sid": "AllowVpcPeeringManagement", - "Effect": "Allow", - "Action": [ - "ec2:CreateVpcPeeringConnection", - "ec2:AcceptVpcPeeringConnection" - ], - "Resource": "*" - }, - { - "Sid": "AllowVpcPeeringDeletion", - "Effect": "Allow", - "Action": [ - "ec2:DeleteVpcPeeringConnection" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "CreateEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume", - "ec2:CreateRoute", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "ModifyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:AssociateRouteTable", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:RebootInstances" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "DeleteEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:TerminateInstances", - "ec2:DeleteVolume", - "ec2:DeleteSnapshot", - "ec2:DetachVolume", - "ec2:DeleteKeyPair", - "ec2:DeleteTags", - "ec2:DeleteSubnet", - "ec2:DeleteSecurityGroup", - "ec2:DeleteRouteTable", - "ec2:DeleteRoute", - "ec2:DeleteInternetGateway", - "ec2:DeleteVpc" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "DeleteEc2ResourcesWithoutTag", - "Effect": "Allow", - "Action": [ - "ec2:RevokeSecurityGroupIngress", - "ec2:RejectVpcPeeringConnection", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:DeleteTransitGateway", - "ec2:DetachInternetGateway" - ], - "Resource": "*" - }, - { - "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "transitgateway.amazonaws.com" - } - } - }, - { - "Sid": "RolePolicyForTransitGateway", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy", - "iam:PutRolePolicy" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" - }, - { - "Sid": "AllowEncryptedVolumeCreation", - "Effect": "Allow", - "Action": [ - "kms:GenerateDataKeyWithoutPlaintext", - "kms:DescribeKey" - ], - "Resource": "*" - }, - { - "Sid": "AllowAttachDetachOfEncryptedVolumes", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ], - "Resource": "*", - "Condition": { - "Bool": { - "kms:GrantIsForAWSResource": "true" - } - } - } - ] -} -``` +{{< external-json "https://raw.githubusercontent.com/Redislabs-Solution-Architects/cloudformation-aws-Redislabs-Cloud-Account-IAM-Resources/refs/heads/master/RedislabsIAMUserRestrictedPolicy.json" >}} {{< /scrollable-code >}} - In **Review and Create**, enter `RedislabsIAMUserRestrictedPolicy` in the **Policy name** field.