6 éve · dfde4342b8
--- a/policies/FIAM-BOUNDARY-Developer.json
+++ b/policies/FIAM-BOUNDARY-Developer.json
@@ -2,7 +2,14 @@
 
				     "Version": "2012-10-17",
			
 
				     "Statement": [
			
 
				         {
			
 
				-            "Sid": "TODOThereIsNoReasonForThisPolicy",
			
 
				+            "Sid": "OnlyAssumeRoleIntoPrefix",
			
 
				+            "Effect": "Allow",
			
 
				+            "Action": "sts:AssumeRole",
			
 
				+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
			
 
				+        },
			
 
				+
			
 
				+        {
			
 
				+            "Sid": "TODOThisIsJustAFillerFromHereBelow",
			
 
				             "Effect": "Allow",
			
 
				             "Action": "s3:PutObject",
			
 
				             "Resource": "arn:aws:s3:::*/*"
			
--- a/policies/FIAM-COMMON-IAM-EC2.json
+++ b/policies/FIAM-COMMON-IAM-EC2.json
@@ -1,16 +1,24 @@
 
				 {
			
 
				-    "Version": "2012-10-17",
			
 
				-    "Statement": [
			
 
				-        {
			
 
				-            "Sid": "InstanceProfiles",
			
 
				-            "Effect": "Allow",
			
 
				-            "Action": [
			
 
				-                "iam:CreateInstanceProfile",
			
 
				-                "iam:DeleteInstanceProfile",
			
 
				-                "iam:AddRoleToInstanceProfile",
			
 
				-                "iam:RemoveRoleFromInstanceProfile"
			
 
				-            ],
			
 
				-            "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
			
 
				-        }
			
 
				-    ]
			
 
				+  "Version": "2012-10-17",
			
 
				+  "Statement": [
			
 
				+    {
			
 
				+      "Sid": "InstanceProfiles",
			
 
				+      "Effect": "Allow",
			
 
				+      "Action": [
			
 
				+        "iam:CreateInstanceProfile",
			
 
				+        "iam:DeleteInstanceProfile",
			
 
				+        "iam:AddRoleToInstanceProfile",
			
 
				+        "iam:RemoveRoleFromInstanceProfile"
			
 
				+      ],
			
 
				+      "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
			
 
				+    },
			
 
				+    {
			
 
				+      "Sid": "PassRole",
			
 
				+      "Effect": "Allow",
			
 
				+      "Action": [
			
 
				+        "iam:PassRole"
			
 
				+      ],
			
 
				+      "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
			
 
				+    }
			
 
				+  ]
			
 
				 }
			
--- a/policies/FIAM-COMMON-RestrictServices.json
+++ b/policies/FIAM-COMMON-RestrictServices.json
@@ -3,17 +3,47 @@
 
				     "Statement": [
			
 
				         {
			
 
				             "Effect": "Deny",
			
 
				-            "Action": "*",
			
 
				-            "Resource": "*",
			
 
				-            "Condition": {
			
 
				-                "StringNotEquals": {
			
 
				-                    "aws:RequestedRegion": [
			
 
				-                        "us-east-1",
			
 
				-                        "us-east-2",
			
 
				-                        "us-west-1"
			
 
				-                    ]
			
 
				-                }
			
 
				-            }
			
 
				+            "NotAction": [
			
 
				+                "acm:*",
			
 
				+                "application-autoscaling:*",
			
 
				+                "autoscaling:*",
			
 
				+                "autoscaling-plans:*",
			
 
				+                "cloudformation:*",
			
 
				+                "cloudfront:*",
			
 
				+                "cloudtrail:*",
			
 
				+                "cloudwatch:*",
			
 
				+                "codebuild:*",
			
 
				+                "codecommit:*",
			
 
				+                "codedeploy:*",
			
 
				+                "codepipeline:*",
			
 
				+                "codestar:*",
			
 
				+                "cognito-idp:*",
			
 
				+                "cognito-identity:*",
			
 
				+                "cognito-sync:*",
			
 
				+                "config:*",
			
 
				+                "directconnect:*",
			
 
				+                "dynamodb:*",
			
 
				+                "ec2:*",
			
 
				+                "events:*",
			
 
				+                "glacier:*",
			
 
				+                "iam:*",
			
 
				+                "kms:*",
			
 
				+                "lambda:*",
			
 
				+                "logs:*",
			
 
				+                "organizations:*",
			
 
				+                "rds:*",
			
 
				+                "route53:*",
			
 
				+                "route53domains:*",
			
 
				+                "s3:*",
			
 
				+                "ses:*",
			
 
				+                "sns:*",
			
 
				+                "sqs:*",
			
 
				+                "swf:*",
			
 
				+                "trustedadvisor:*",
			
 
				+                "waf:*",
			
 
				+                "waf-regional:*"
			
 
				+            ],
			
 
				+            "Resource": "*"
			
 
				         }
			
 
				     ]
			
 
				 }
			
--- a/policies/README.md
+++ b/policies/README.md
@@ -1,5 +1,14 @@
 
				 # Policy Documents
			
 
				 
			
 
				+## Terraform Templates
			
 
				+NOTE: These are templates for use with terraform and are not usable by themselves.
			
 
				+
			
 
				+Specifically, they employ variables in two forms that would be need to be corrected in order to use them directly:
			
 
				+1. Terraform variables are of the form `${variablename}`, and would need to be replaced with valid values. The common
			
 
				+one here is `${account}` which needs to be your AWS account.
			
 
				+1. To avoid conflicts with the terraform variables, aws variables begin with `$$` instead of just `$`. These would need
			
 
				+to be reverted back.
			
 
				+
			
 
				 ## TODO
			
 
				 SIDs with "TODO" mean further review is warranted.
			
 
				 
			
--- a/terraform/testuser.tf
+++ b/terraform/testuser.tf
@@ -39,5 +39,5 @@ output "testuser_password" {
 
				 }
			
 
				 
			
 
				 output "testuser_password_instructions" {
			
 
				-  value = "Execute:  terraform output testuser_password | base64 --decode | keybase pgp decrypt"
			
 
				+  value = "Execute:  terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt"
			
 
				 }