Skip to content

Instantly share code, notes, and snippets.

View mchancloud's full-sized avatar

Michael Chan mchancloud

8 followers · 0 following
View GitHub Profile
@mchancloud
mchancloud / abac-scp-guardrails-examples.txt
Last active March 8, 2023 18:56
//
// A simple example protecting the tags on IAM principals. Here, only an admins with an "is_admin:true"
// tag key/value pair can modify a tag on an IAM principal.
//
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyingIamAdminTag",
"Effect": "Deny",
@mchancloud
mchancloud / aws-foundational-security-best-practices-controls.txt
Last active April 24, 2020 19:36
AWS Security Hub - AWS Foundational Security Best Practices controls
[ACM.1] Imported ACM certificates should be renewed within 90 days of expiration
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
[Config.1AWS] Config should be enabled
[EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
[EC2.3] Attached EBS volumes should be encrypted at-rest
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
@mchancloud
mchancloud / role-session-name-is-principal-tag.txt
Created April 22, 2020 14:44
enforcing the role session name as principal tag
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleIfSessionNameEqualsAccessProjectSessionTagValue",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
@mchancloud
mchancloud / aws-identity-post-reinforce-2019.md
Last active February 20, 2020 15:15
AWS Identity post re:Inforce 2019 launches, sessions, and blogs

aws-identity-1500x300

Are you one of the many who didn't have a chance to go to re:Invent 2019? Here's a curated list of second-half 2019 AWS Identity sessions and related blogs. Use this to help you assess if these new features are right for you! Also check out the AWS Identity keynote, where you'll hear how the identity space has evolved and how AWS is making identity, access control, and resource management easier for everyone.

Workforce Identity

Launch announcements

@mchancloud
mchancloud / aws-identity-hands-resources.md
Created February 13, 2020 20:13
Handy AWS Identity resources

List of handy resources here!

@mchancloud
mchancloud / identity-day-nyc-2019.md
Last active February 25, 2020 05:07
Identity Days

Identity Days

Identity Overview

re:Invent session SEC207

re:Invent slides here

Workforce Identity