aw:cloudformation_policy
Table of Contents
IAM Policy
Developer Policy to allow devs to inspect prod logs but not change deployed code.
Policy
dev_gr.yaml
--- AWSTemplateFormatVersion: "2010-09-09" Description: Stack to add policy and group to allow developers limited access to environments for debugging. Parameters: Environment: Description: The environment type Type: String Default: sandbox AllowedValues: - production - dev - staging ConstraintDescription: must be production, staging or dev Mappings: NameToEnv: production: Account: "123443211234" dev: Account: "543223455432" staging: Account: "987667899876" Resources: Developers: Type: AWS::IAM::Group Properties: GroupName: Devs Path: / DevsPolicy: Type: "AWS::IAM::ManagedPolicy" DependsOn: Developers Properties: Description: Policy to allow minimal access to Staging for Dev ManagedPolicyName: "Devs" Path: / Groups: - Devs PolicyDocument: Version: "2012-10-17" Statement: - Action: - "logs:DescribeDestinations" - "logs:DescribeExportTasks" - "logs:DescribeLogGroups" - "logs:DescribeLogStreams" - "logs:DescribeMetricFilters" - "logs:DescribeQueries" - "logs:DescribeQueryDefinitions" - "logs:DescribeResourcePolicies" - "logs:DescribeSubscriptionFilters" - "logs:ListLogDeliveries" - "logs:ListTagsLogGroup" - "logs:FilterLogEvents" - "logs:GetLogDelivery" - "logs:GetLogEvents" - "logs:GetLogGroupFields" - "logs:GetLogRecord" - "logs:GetQueryResults" - "logs:StartQuery" - "logs:StopQuery" - "logs:TestMetricFilter" Effect: Allow Resource: - '*' - Action: - "lambda:ListAliases" - "lambda:ListCodeSigningConfigs" - "lambda:ListEventSourceMappings" - "lambda:ListFunctionEventInvokeConfigs" - "lambda:ListFunctions" - "lambda:ListFunctionsByCodeSigningConfig" - "lambda:ListLayers" - "lambda:ListLayerVersions" - "lambda:ListProvisionedConcurrencyConfigs" - "lambda:ListVersionsByFunction" - "lambda:GetAccountSettings" - "lambda:GetAlias" - "lambda:GetCodeSigningConfig" - "lambda:GetEventSourceMapping" - "lambda:GetFunction" - "lambda:GetFunctionCodeSigningConfig" - "lambda:GetFunctionConcurrency" - "lambda:GetFunctionConfiguration" - "lambda:GetFunctionEventInvokeConfig" - "lambda:GetLayerVersion" - "lambda:GetLayerVersionPolicy" - "lambda:GetPolicy" - "lambda:GetProvisionedConcurrencyConfig" - "lambda:ListTags" - "lambda:InvokeFunction" Effect: Allow Resource: - '*' - Action: - "apigateway:GET" Effect: Allow Resource: - "*" - Action: - "appsync:ListFunctions" - "appsync:ListGraphqlApis" - "appsync:ListTypes" - "appsync:ListDataSources" - "appsync:ListApiKeys" - "appsync:ListResolversByFunction" - "appsync:ListResolvers" Effect: Allow Resource: - '*' - Action: - "iam:ChangePassword" - "iam:ListPolicies" - "iam:ListRoleTags" - "iam:ListGroupsForUser" - "iam:GetAccessKeyLastUsed" - "iam:ListRoles" - "iam:ListUsers" - "iam:ListGroups" - "iam:ListRolePolicies" - "iam:ListAccessKeys" - "iam:ListSSHPublicKeys" - "iam:ListAccessKeys" - "iam:ListServiceSpecificCredentials" Effect: Allow Resource: - '*' - Action: - "ssm:DescribeParameters" - "ssm:GetParameter" - "ssm:GetParameterHistory" - "ssm:ListTagsForResource" Effect: Allow Resource: - "*" - Action: - "s3:Get*" - "s3:List*" Effect: Allow Resource: - "*" - Action: - "cloudformation:Describe*" - "cloudformation:EstimateTemplateCost" - "cloudformation:Get*" - "cloudformation:List*" - "cloudformation:ValidateTemplate" - "cloudformation:Detect*" Effect: Allow Resource: - "*" - Action: - "ec2:Describe*" - "elasticloadbalancing:Describe*" - "cloudwatch:ListMetrics" - "cloudwatch:GetMetricStatistics" - "cloudwatch:Describe*" - "autoscaling:Describe*" Effect: Allow Resource: - "*" - Action: - "rds:Describe*" - "rds:ListTagsForResource" - "ec2:DescribeAccountAttributes" - "ec2:DescribeAvailabilityZones" - "ec2:DescribeInternetGateways" - "ec2:DescribeSecurityGroups" - "ec2:DescribeSubnets" - "ec2:DescribeVpcAttribute" - "ec2:DescribeVpcs" - "cloudwatch:GetMetricStatistics" - "logs:DescribeLogStreams" - "logs:GetLogEvents" Effect: Allow Resource: - "*"
Deploy Script
Shel script to deploy policy
deploy_stack.sh
#!/bin/bash #Written Andrew Stringer #Purpose to deploy a cloudformation stack from the cli. STACK_NAME='Dev-a' TEMPLATE_BODY='file://dev_gr.yaml' REGION='eu-west-2' PROFILE=$1 TAGS="Key=Name,Value=${STACK_NAME} Key=Build_Method,Value=CloudFormation" echo "Using ${PROFILE}." #Test $1 exists if [ -z "$PROFILE" ]; then echo "Your AWS Profile is not set, using default" PROFILE=default fi # who am i? aws sts get-caller-identity --profile ${PROFILE} aws cloudformation update-stack \ --stack-name ${STACK_NAME} \ --template-body ${TEMPLATE_BODY} \ --region ${REGION} \ --profile ${PROFILE} \ --capabilities CAPABILITY_NAMED_IAM \ --tags ${TAGS} exit
aw/cloudformation_policy.txt · Last modified: by andrew