====== IAM Policy ======
Developer Policy to allow devs to inspect prod logs but not change deployed code.
===== Policy =====
dev_gr.yaml
---
AWSTemplateFormatVersion: "2010-09-09"
Description:
Stack to add policy and group to allow developers limited access to environments for debugging.
Parameters:
Environment:
Description: The environment type
Type: String
Default: sandbox
AllowedValues:
- production
- dev
- staging
ConstraintDescription: must be production, staging or dev
Mappings:
NameToEnv:
production:
Account: "123443211234"
dev:
Account: "543223455432"
staging:
Account: "987667899876"
Resources:
Developers:
Type: AWS::IAM::Group
Properties:
GroupName: Devs
Path: /
DevsPolicy:
Type: "AWS::IAM::ManagedPolicy"
DependsOn: Developers
Properties:
Description: Policy to allow minimal access to Staging for Dev
ManagedPolicyName: "Devs"
Path: /
Groups:
- Devs
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "logs:DescribeDestinations"
- "logs:DescribeExportTasks"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
- "logs:DescribeMetricFilters"
- "logs:DescribeQueries"
- "logs:DescribeQueryDefinitions"
- "logs:DescribeResourcePolicies"
- "logs:DescribeSubscriptionFilters"
- "logs:ListLogDeliveries"
- "logs:ListTagsLogGroup"
- "logs:FilterLogEvents"
- "logs:GetLogDelivery"
- "logs:GetLogEvents"
- "logs:GetLogGroupFields"
- "logs:GetLogRecord"
- "logs:GetQueryResults"
- "logs:StartQuery"
- "logs:StopQuery"
- "logs:TestMetricFilter"
Effect: Allow
Resource:
- '*'
- Action:
- "lambda:ListAliases"
- "lambda:ListCodeSigningConfigs"
- "lambda:ListEventSourceMappings"
- "lambda:ListFunctionEventInvokeConfigs"
- "lambda:ListFunctions"
- "lambda:ListFunctionsByCodeSigningConfig"
- "lambda:ListLayers"
- "lambda:ListLayerVersions"
- "lambda:ListProvisionedConcurrencyConfigs"
- "lambda:ListVersionsByFunction"
- "lambda:GetAccountSettings"
- "lambda:GetAlias"
- "lambda:GetCodeSigningConfig"
- "lambda:GetEventSourceMapping"
- "lambda:GetFunction"
- "lambda:GetFunctionCodeSigningConfig"
- "lambda:GetFunctionConcurrency"
- "lambda:GetFunctionConfiguration"
- "lambda:GetFunctionEventInvokeConfig"
- "lambda:GetLayerVersion"
- "lambda:GetLayerVersionPolicy"
- "lambda:GetPolicy"
- "lambda:GetProvisionedConcurrencyConfig"
- "lambda:ListTags"
- "lambda:InvokeFunction"
Effect: Allow
Resource:
- '*'
- Action:
- "apigateway:GET"
Effect: Allow
Resource:
- "*"
- Action:
- "appsync:ListFunctions"
- "appsync:ListGraphqlApis"
- "appsync:ListTypes"
- "appsync:ListDataSources"
- "appsync:ListApiKeys"
- "appsync:ListResolversByFunction"
- "appsync:ListResolvers"
Effect: Allow
Resource:
- '*'
- Action:
- "iam:ChangePassword"
- "iam:ListPolicies"
- "iam:ListRoleTags"
- "iam:ListGroupsForUser"
- "iam:GetAccessKeyLastUsed"
- "iam:ListRoles"
- "iam:ListUsers"
- "iam:ListGroups"
- "iam:ListRolePolicies"
- "iam:ListAccessKeys"
- "iam:ListSSHPublicKeys"
- "iam:ListAccessKeys"
- "iam:ListServiceSpecificCredentials"
Effect: Allow
Resource:
- '*'
- Action:
- "ssm:DescribeParameters"
- "ssm:GetParameter"
- "ssm:GetParameterHistory"
- "ssm:ListTagsForResource"
Effect: Allow
Resource:
- "*"
- Action:
- "s3:Get*"
- "s3:List*"
Effect: Allow
Resource:
- "*"
- Action:
- "cloudformation:Describe*"
- "cloudformation:EstimateTemplateCost"
- "cloudformation:Get*"
- "cloudformation:List*"
- "cloudformation:ValidateTemplate"
- "cloudformation:Detect*"
Effect: Allow
Resource:
- "*"
- Action:
- "ec2:Describe*"
- "elasticloadbalancing:Describe*"
- "cloudwatch:ListMetrics"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:Describe*"
- "autoscaling:Describe*"
Effect: Allow
Resource:
- "*"
- Action:
- "rds:Describe*"
- "rds:ListTagsForResource"
- "ec2:DescribeAccountAttributes"
- "ec2:DescribeAvailabilityZones"
- "ec2:DescribeInternetGateways"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSubnets"
- "ec2:DescribeVpcAttribute"
- "ec2:DescribeVpcs"
- "cloudwatch:GetMetricStatistics"
- "logs:DescribeLogStreams"
- "logs:GetLogEvents"
Effect: Allow
Resource:
- "*"
===== Deploy Script =====
Shel script to deploy policy
deploy_stack.sh
#!/bin/bash
#Written Andrew Stringer
#Purpose to deploy a cloudformation stack from the cli.
STACK_NAME='Dev-a'
TEMPLATE_BODY='file://dev_gr.yaml'
REGION='eu-west-2'
PROFILE=$1
TAGS="Key=Name,Value=${STACK_NAME} Key=Build_Method,Value=CloudFormation"
echo "Using ${PROFILE}."
#Test $1 exists
if [ -z "$PROFILE" ]; then
echo "Your AWS Profile is not set, using default"
PROFILE=default
fi
# who am i?
aws sts get-caller-identity --profile ${PROFILE}
aws cloudformation update-stack \
--stack-name ${STACK_NAME} \
--template-body ${TEMPLATE_BODY} \
--region ${REGION} \
--profile ${PROFILE} \
--capabilities CAPABILITY_NAMED_IAM \
--tags ${TAGS}
exit