Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
AFS
/
xdr-terraform-modules
2
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Gałąź: master
Gałęzie Tagi
xdr-terraform-m...
/
submodules
/
iam
/
standard_iam_policies
/
policy-mdr_engineer.tf

policy-mdr_engineer.tf 2.5 KB
Bezpośredni odnośnik Historia Czysty

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole
    3. 

  3. #------------------------------------------------------------------------------------------
    4. 

  4. data "aws_iam_policy_document" "mdr_engineer" {
    5. 

  5.   # checkov:skip=CKV_AWS_107: IAM policies does not allow credentials exposure for ECR
    6. 

  6.   # checkov:skip=CKV_AWS_108: no data exfiltration allowed; resource constraints implemented
    7. 

  7.   # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
    8. 

  8.   # checkov:skip=CKV_AWS_110: IAM policies does not allow privilege escalation
    9. 

  9.   # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
    10. 

  10.   statement {
    11. 

  11.     effect      = "Allow"
    12. 

  12.     not_actions = [
    13. 

  13.       "sts:*",
    14. 

  14.       "iam:*",
    15. 

  15.       "organizations:*",
    16. 

  16.     ]
    17. 

  17.     resources = [
    18. 

  18.       "*",
    19. 

  19.     ]
    20. 

  20.   }
    21. 

  21.   statement {
    22. 

  22.     effect  = "Allow"
    23. 

  23.     actions = [
    24. 

  24.       "iam:CreateServiceLinkedRole",
    25. 

  25.       "iam:DeleteServiceLinkedRole",
    26. 

  26.       "iam:ListRoles",
    27. 

  27.       "iam:ListRolePolicies",
    28. 

  28.       "iam:ListInstanceProfiles",
    29. 

  29.       "iam:ListPolicies",
    30. 

  30.       "iam:GetRole",
    31. 

  31.       "iam:GetRolePolicy",
    32. 

  32.       "iam:GetInstanceProfile",
    33. 

  33.       "iam:GetPolicy",
    34. 

  34.       "iam:GetPolicyVersion",
    35. 

  35.       "iam:ListAttachedRolePolicies",
    36. 

  36.       "organizations:DescribeOrganization",
    37. 

  37.     ]
    38. 

  38.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    39. 

  39.     resources = [
    40. 

  40.       "*",
    41. 

  41.     ]
    42. 

  42.   }
    43. 

  43. 

  44.   statement {
    45. 

  45.     effect  = "Allow"
    46. 

  46.     actions = [
    47. 

  47.       "iam:PassRole",
    48. 

  48.     ]
    49. 

  49.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    50. 

  50.     resources = [
    51. 

  51.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    52. 

  52.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    53. 

  53.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    54. 

  54.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    55. 

  55.     ]
    56. 

  56.   }
    57. 

  57. 

  58.   statement {
    59. 

  59.     sid     = "AssumeThisRoleInOtherAccounts"
    60. 

  60.     effect  = "Allow"
    61. 

  61.     actions = [
    62. 

  62.       "sts:AssumeRole"
    63. 

  63.     ]
    64. 

  64.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    65. 

  65.     resources = [
    66. 

  66.       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer",
    67. 

  67.       "arn:${local.aws_partition}:iam::*:role/mdr_engineer",
    68. 

  68.     ]
    69. 

  69.   }
    70. 

  70. }
    71. 

  71. 

  72. resource "aws_iam_policy" "mdr_engineer" {
    73. 

  73.   name   = "mdr_engineer"
    74. 

  74.   path   = "/user/"
    75. 

  75.   policy = data.aws_iam_policy_document.mdr_engineer.json
    76. 

  76. }
    77. 

  77.