Minor updates.

policies/FIAM-BOUNDARY-Developer.json

@@ -2,7 +2,14 @@
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Sid": "TODOThereIsNoReasonForThisPolicy",
+            "Sid": "OnlyAssumeRoleIntoPrefix",
+            "Effect": "Allow",
+            "Action": "sts:AssumeRole",
+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
+        },
+
+        {
+            "Sid": "TODOThisIsJustAFillerFromHereBelow",
             "Effect": "Allow",
             "Action": "s3:PutObject",
             "Resource": "arn:aws:s3:::*/*"

policies/FIAM-COMMON-IAM-EC2.json

@@ -1,16 +1,24 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "InstanceProfiles",
-            "Effect": "Allow",
-            "Action": [
-                "iam:CreateInstanceProfile",
-                "iam:DeleteInstanceProfile",
-                "iam:AddRoleToInstanceProfile",
-                "iam:RemoveRoleFromInstanceProfile"
-            ],
-            "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "InstanceProfiles",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:AddRoleToInstanceProfile",
+        "iam:RemoveRoleFromInstanceProfile"
+      ],
+      "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
+    },
+    {
+      "Sid": "PassRole",
+      "Effect": "Allow",
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
+    }
+  ]
 }

policies/FIAM-COMMON-RestrictServices.json

@@ -3,17 +3,47 @@
     "Statement": [
         {
             "Effect": "Deny",
-            "Action": "*",
-            "Resource": "*",
-            "Condition": {
-                "StringNotEquals": {
-                    "aws:RequestedRegion": [
-                        "us-east-1",
-                        "us-east-2",
-                        "us-west-1"
-                    ]
-                }
-            }
+            "NotAction": [
+                "acm:*",
+                "application-autoscaling:*",
+                "autoscaling:*",
+                "autoscaling-plans:*",
+                "cloudformation:*",
+                "cloudfront:*",
+                "cloudtrail:*",
+                "cloudwatch:*",
+                "codebuild:*",
+                "codecommit:*",
+                "codedeploy:*",
+                "codepipeline:*",
+                "codestar:*",
+                "cognito-idp:*",
+                "cognito-identity:*",
+                "cognito-sync:*",
+                "config:*",
+                "directconnect:*",
+                "dynamodb:*",
+                "ec2:*",
+                "events:*",
+                "glacier:*",
+                "iam:*",
+                "kms:*",
+                "lambda:*",
+                "logs:*",
+                "organizations:*",
+                "rds:*",
+                "route53:*",
+                "route53domains:*",
+                "s3:*",
+                "ses:*",
+                "sns:*",
+                "sqs:*",
+                "swf:*",
+                "trustedadvisor:*",
+                "waf:*",
+                "waf-regional:*"
+            ],
+            "Resource": "*"
         }
     ]
 }

policies/README.md

@@ -1,5 +1,14 @@
 # Policy Documents
 
+## Terraform Templates
+NOTE: These are templates for use with terraform and are not usable by themselves.
+
+Specifically, they employ variables in two forms that would be need to be corrected in order to use them directly:
+1. Terraform variables are of the form `${variablename}`, and would need to be replaced with valid values. The common
+one here is `${account}` which needs to be your AWS account.
+1. To avoid conflicts with the terraform variables, aws variables begin with `$$` instead of just `$`. These would need
+to be reverted back.
+
 ## TODO
 SIDs with "TODO" mean further review is warranted.
 

terraform/testuser.tf

@@ -39,5 +39,5 @@ output "testuser_password" {
 }
 
 output "testuser_password_instructions" {
-  value = "Execute:  terraform output testuser_password | base64 --decode | keybase pgp decrypt"
+  value = "Execute:  terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt"
 }