Startseite Erkunden Hilfe
Registrieren Anmelden
AFS
/
xdr-terraform-modules
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: ffc81e90b9
Branches Tags
xdr-terraform-m...
/
submodules
/
iam
/
standard_iam_policies
/
policy-mdr_engineer.tf

policy-mdr_engineer.tf 1.8 KB
Verlauf Originalformat

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole
    3. 

  3. #------------------------------------------------------------------------------------------
    4. 

  4. data "aws_iam_policy_document" "mdr_engineer" {
    5. 

  5.   statement {
    6. 

  6.     effect = "Allow"
    7. 

  7.     not_actions = [
    8. 

  8.       "sts:*",
    9. 

  9.       "iam:*",
    10. 

  10.       "organizations:*",
    11. 

  11.     ]
    12. 

  12.     resources = [
    13. 

  13.       "*",
    14. 

  14.     ]
    15. 

  15.   }
    16. 

  16.   statement {
    17. 

  17.     effect = "Allow"
    18. 

  18.     actions = [
    19. 

  19.       "iam:CreateServiceLinkedRole",
    20. 

  20.       "iam:DeleteServiceLinkedRole",
    21. 

  21.       "iam:ListRoles",
    22. 

  22.       "iam:ListRolePolicies",
    23. 

  23.       "iam:ListInstanceProfiles",
    24. 

  24.       "iam:ListPolicies",
    25. 

  25.       "iam:GetRole",
    26. 

  26.       "iam:GetRolePolicy",
    27. 

  27.       "iam:GetInstanceProfile",
    28. 

  28.       "iam:GetPolicy",
    29. 

  29.       "iam:GetPolicyVersion",
    30. 

  30.       "iam:ListAttachedRolePolicies",
    31. 

  31.       "organizations:DescribeOrganization",
    32. 

  32.     ]
    33. 

  33. 

  34.     resources = [
    35. 

  35.       "*",
    36. 

  36.     ]
    37. 

  37.   }
    38. 

  38.   statement {
    39. 

  39.     effect = "Allow"
    40. 

  40.     actions = [
    41. 

  41.       "iam:PassRole",
    42. 

  42.     ]
    43. 

  43. 

  44.     resources = [
    45. 

  45.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    46. 

  46.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    47. 

  47.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    48. 

  48.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    49. 

  49.     ]
    50. 

  50.   }
    51. 

  51. 

  52.   statement {
    53. 

  53.     sid    = "AssumeThisRoleInOtherAccounts"
    54. 

  54.     effect = "Allow"
    55. 

  55.     actions = [
    56. 

  56.       "sts:AssumeRole"
    57. 

  57.     ]
    58. 

  58. 

  59.     resources = [
    60. 

  60.       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer",
    61. 

  61.       "arn:${local.aws_partition}:iam::*:role/mdr_engineer",
    62. 

  62.     ]
    63. 

  63.   }
    64. 

  64. }
    65. 

  65. 

  66. resource "aws_iam_policy" "mdr_engineer" {
    67. 

  67.   name   = "mdr_engineer"
    68. 

  68.   path   = "/user/"
    69. 

  69.   policy = data.aws_iam_policy_document.mdr_engineer.json
    70. 

  70. }
    71. 

  71.