Last active
January 20, 2025 16:06
-
-
Save filipeandre/d3281064e68d616c31e71d34f92f9238 to your computer and use it in GitHub Desktop.
Create a role that allows to whitelist an ipset
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Parameters: | |
| AccountId: | |
| Type: String | |
| Description: The AWS Account ID that can assume this role. | |
| RoleName: | |
| Type: String | |
| Description: The policy name that allows add or remove ips from ipsets | |
| Resources: | |
| WhitelistRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Ref RoleName | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Principal: | |
| AWS: !Ref AccountId # Allow the specified account to assume this role | |
| Action: "sts:AssumeRole" | |
| Policies: | |
| - PolicyName: IPSetManagement | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Action: | |
| # WAFv2 Permissions (IP Set management) | |
| - "wafv2:UpdateIPSet" | |
| - "wafv2:CreateIPSet" | |
| - "wafv2:DeleteIPSet" | |
| - "wafv2:GetIPSet" | |
| - "wafv2:ListIPSets" | |
| # WAFv1 Permissions (IP Set management) | |
| - "waf:UpdateIPSet" | |
| - "waf:CreateIPSet" | |
| - "waf:DeleteIPSet" | |
| - "waf:GetIPSet" | |
| - "waf:ListIPSets" | |
| Resource: "*" | |
| Outputs: | |
| RoleArn: | |
| Description: "ARN of the Whitelist Role" | |
| Value: !GetAtt WhitelistRole.Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment