Differences

This shows you the differences between two versions of the page.

--- aw:cloudformation_policy [30/12/2024 22:36] – created andrew
+++ aw:cloudformation_policy [02/01/2025 15:51] (current) – andrew
@@ Line 1: / Line 1: @@
 ====== IAM Policy ======
+Developer Policy to allow devs to inspect prod logs but not change deployed code.
+===== Policy =====
+dev_gr.yaml
+<code yaml>
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description:
+  Stack to add policy and group to allow developers limited access to environments for debugging.
+Parameters:
+  Environment:
+    Description: The environment type
+    Type: String
+    Default: sandbox
+    AllowedValues:
+      - production
+      - dev
+      - staging
+    ConstraintDescription: must be production, staging or dev
+Mappings:
+  NameToEnv:
+    production:
+      Account: "123443211234"
+    dev:
+      Account: "543223455432"
+    staging:
+      Account: "987667899876"
+Resources:
+  Developers:
+    Type: AWS::IAM::Group
+    Properties:
+      GroupName: Devs
+      Path: /
+  DevsPolicy:
+    Type: "AWS::IAM::ManagedPolicy"
+    DependsOn: Developers
+    Properties:
+      Description: Policy to allow minimal access to Staging for Dev
+      ManagedPolicyName: "Devs"
+      Path: /
+      Groups:
+        - Devs
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Action:
+              - "logs:DescribeDestinations"
+              - "logs:DescribeExportTasks"
+              - "logs:DescribeLogGroups"
+              - "logs:DescribeLogStreams"
+              - "logs:DescribeMetricFilters"
+              - "logs:DescribeQueries"
+              - "logs:DescribeQueryDefinitions"
+              - "logs:DescribeResourcePolicies"
+              - "logs:DescribeSubscriptionFilters"
+              - "logs:ListLogDeliveries"
+              - "logs:ListTagsLogGroup"
+              - "logs:FilterLogEvents"
+              - "logs:GetLogDelivery"
+              - "logs:GetLogEvents"
+              - "logs:GetLogGroupFields"
+              - "logs:GetLogRecord"
+              - "logs:GetQueryResults"
+              - "logs:StartQuery"
+              - "logs:StopQuery"
+              - "logs:TestMetricFilter"
+            Effect: Allow
+            Resource:
+              - '*'
+          - Action:
+              - "lambda:ListAliases"
+              - "lambda:ListCodeSigningConfigs"
+              - "lambda:ListEventSourceMappings"
+              - "lambda:ListFunctionEventInvokeConfigs"
+              - "lambda:ListFunctions"
+              - "lambda:ListFunctionsByCodeSigningConfig"
+              - "lambda:ListLayers"
+              - "lambda:ListLayerVersions"
+              - "lambda:ListProvisionedConcurrencyConfigs"
+              - "lambda:ListVersionsByFunction"
+              - "lambda:GetAccountSettings"
+              - "lambda:GetAlias"
+              - "lambda:GetCodeSigningConfig"
+              - "lambda:GetEventSourceMapping"
+              - "lambda:GetFunction"
+              - "lambda:GetFunctionCodeSigningConfig"
+              - "lambda:GetFunctionConcurrency"
+              - "lambda:GetFunctionConfiguration"
+              - "lambda:GetFunctionEventInvokeConfig"
+              - "lambda:GetLayerVersion"
+              - "lambda:GetLayerVersionPolicy"
+              - "lambda:GetPolicy"
+              - "lambda:GetProvisionedConcurrencyConfig"
+              - "lambda:ListTags"
+              - "lambda:InvokeFunction"
+            Effect: Allow
+            Resource:
+              - '*'
+          - Action:
+              - "apigateway:GET"
+            Effect: Allow
+            Resource:
+              - "*"
+          - Action:
+              - "appsync:ListFunctions"
+              - "appsync:ListGraphqlApis"
+              - "appsync:ListTypes"
+              - "appsync:ListDataSources"
+              - "appsync:ListApiKeys"
+              - "appsync:ListResolversByFunction"
+              - "appsync:ListResolvers"
+            Effect: Allow
+            Resource:
+              - '*'
+          - Action:
+              - "iam:ChangePassword"
+              - "iam:ListPolicies"
+              - "iam:ListRoleTags"
+              - "iam:ListGroupsForUser"
+              - "iam:GetAccessKeyLastUsed"
+              - "iam:ListRoles"
+              - "iam:ListUsers"
+              - "iam:ListGroups"
+              - "iam:ListRolePolicies"
+              - "iam:ListAccessKeys"
+              - "iam:ListSSHPublicKeys"
+              - "iam:ListAccessKeys"
+              - "iam:ListServiceSpecificCredentials"
+            Effect: Allow
+            Resource:
+              - '*'
+          - Action:
+              - "ssm:DescribeParameters"
+              - "ssm:GetParameter"
+              - "ssm:GetParameterHistory"
+              - "ssm:ListTagsForResource"
+            Effect: Allow
+            Resource:
+              - "*"
+          - Action:
+              - "s3:Get*"
+              - "s3:List*"
+            Effect: Allow
+            Resource:
+              - "*"
+          - Action:
+              - "cloudformation:Describe*"
+              - "cloudformation:EstimateTemplateCost"
+              - "cloudformation:Get*"
+              - "cloudformation:List*"
+              - "cloudformation:ValidateTemplate"
+              - "cloudformation:Detect*"
+            Effect: Allow
+            Resource:
+              - "*"
+          - Action:
+              - "ec2:Describe*"
+              - "elasticloadbalancing:Describe*"
+              - "cloudwatch:ListMetrics"
+              - "cloudwatch:GetMetricStatistics"
+              - "cloudwatch:Describe*"
+              - "autoscaling:Describe*"
+            Effect: Allow
+            Resource:
+              - "*"
+          - Action:
+              - "rds:Describe*"
+              - "rds:ListTagsForResource"
+              - "ec2:DescribeAccountAttributes"
+              - "ec2:DescribeAvailabilityZones"
+              - "ec2:DescribeInternetGateways"
+              - "ec2:DescribeSecurityGroups"
+              - "ec2:DescribeSubnets"
+              - "ec2:DescribeVpcAttribute"
+              - "ec2:DescribeVpcs"
+              - "cloudwatch:GetMetricStatistics"
+              - "logs:DescribeLogStreams"
+              - "logs:GetLogEvents"
+            Effect: Allow
+            Resource:
+              - "*"
+</code>
+===== Deploy Script =====
+Shel script to deploy policy
+deploy_stack.sh
+<code bash>
+#!/bin/bash
+#Written Andrew Stringer
+#Purpose to deploy a cloudformation stack from the cli.
+STACK_NAME='Dev-a'
+TEMPLATE_BODY='file://dev_gr.yaml'
+REGION='eu-west-2'
+PROFILE=$1
+TAGS="Key=Name,Value=${STACK_NAME} Key=Build_Method,Value=CloudFormation"
+echo "Using ${PROFILE}."
+#Test $1 exists
+if [ -z "$PROFILE" ]; then
+	echo "Your AWS Profile is not set, using default"
+	PROFILE=default
+fi
+# who am i?
+aws sts get-caller-identity --profile ${PROFILE}
+aws cloudformation update-stack \
+        --stack-name ${STACK_NAME} \
+        --template-body ${TEMPLATE_BODY} \
+        --region ${REGION} \
+        --profile ${PROFILE} \
+        --capabilities CAPABILITY_NAMED_IAM \
+        --tags ${TAGS}
+exit
+</code>