| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "RequirePermissionsBoundary",
- "Effect": "Allow",
- "Action": [
- "iam:DetachRolePolicy",
- "iam:CreateRole",
- "iam:AttachRolePolicy"
- ],
- "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*",
- "Condition": {
- "StringEquals": {
- "iam:PermissionsBoundary": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:PermissionsBoundary}"
- }
- }
- },
- {
- "Sid": "DeleteAppropriatelyNamedRole",
- "Effect": "Allow",
- "Action": "iam:DeleteRole",
- "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
- },
- {
- "Sid": "ModifyAppropriatelyNamedPolicies",
- "Effect": "Allow",
- "Action": [
- "iam:CreatePolicy",
- "iam:DeletePolicy",
- "iam:CreatePolicyVersion",
- "iam:DeletePolicyVersion"
- ],
- "Resource": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:NamePrefix}**"
- },
- {
- "Sid": "AdditionalUsefulAccessTODO",
- "Effect": "Allow",
- "Action": [
- "iam:Get*",
- "iam:List*",
- "iam:GenerateServiceLastAccessedDetails"
- ],
- "Resource": "*"
- }
- ]
- }
|
