Last active
May 18, 2018 15:07
-
-
Save jolexa/dfd444e7e2ead69a9479d5a07a366fee to your computer and use it in GitHub Desktop.
AWS IAM Role that both services *and* Humans-with-2fa can assume
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Resources: | |
| ExampleRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| Path: "/cfn/" | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess | |
| Policies: | |
| - PolicyName: DynamoDBGetter | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - dynamodb:GetItem | |
| Resource: | |
| - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/specificTableName" | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Sid: 'LambdaCanReadTable' | |
| Principal: | |
| Service: | |
| - lambda.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| - Effect: Allow | |
| Sid: 'HumanCanReadTableToo' | |
| Principal: | |
| AWS: | |
| - !Ref AWS::AccountId | |
| Action: | |
| - sts:AssumeRole | |
| Condition: | |
| Bool: | |
| aws:MultiFactorAuthPresent: 'true' | |
| ExampleAdminRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| Path: "/cfn/" | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess | |
| Policies: | |
| - PolicyName: DynamoDBAdmin | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - dynamodb:* | |
| Resource: | |
| - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/specificTableName" | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Sid: 'HumanAdmin' | |
| Principal: | |
| AWS: | |
| - !Ref AWS::AccountId | |
| Action: | |
| - sts:AssumeRole | |
| Condition: | |
| Bool: | |
| aws:MultiFactorAuthPresent: 'true' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a contrived example that shows two IAM Roles that allows:
The first role allows
dynamoddb:GetItemaccess on the table. Both lambda functions (where this role is applied) and Humans-with-2fa can assume this role.The second role allows for "HumanAdmins" to do ANYTHING to the specific table. Only Humans-with-2fa can use this role.