restump · August 12, 2020 22:34
diff --git a/restrict-data-read-permissions.json b/restrict-data-read-permissions.json
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictSensitiveDataReadActions",
      "Action": [
        "cloudformation:GetTemplate",
        "dynamodb:GetItem",
        "dynamodb:BatchGetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "ec2:GetConsoleOutput",
        "ec2:GetConsoleScreenshot",
        "ecr:BatchGetImage",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "kinesis:Get*",
        "lambda:GetFunction",
        "logs:GetLogEvents",
        "s3:GetObject",
        "sdb:Select*",
        "sqs:ReceiveMessage",
        "ssm:Get*"
      ],
      "Effect": "Deny",
      "Resource": "*"
    },
    {
      "Sid": "RestrictApiGatewaySensitiveDataReadActions",
      "Action": [
        "apigateway:GET"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:apigateway:*::/apikeys",
        "arn:aws:apigateway:*::/apikeys/*",
        "arn:aws:apigateway:*::/clientcertificates",
        "arn:aws:apigateway:*::/clientcertificates/*"
      ]
    }
  ]
 }
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "RestrictSensitiveDataReadActions",
	"Action": [
	"cloudformation:GetTemplate",
	"dynamodb:GetItem",
	"dynamodb:BatchGetItem",
	"dynamodb:Query",
	"dynamodb:Scan",
	"ec2:GetConsoleOutput",
	"ec2:GetConsoleScreenshot",
	"ecr:BatchGetImage",
	"ecr:GetAuthorizationToken",
	"ecr:GetDownloadUrlForLayer",
	"kinesis:Get*",
	"lambda:GetFunction",
	"logs:GetLogEvents",
	"s3:GetObject",
	"sdb:Select*",
	"sqs:ReceiveMessage",
	"ssm:Get*"
	],
	"Effect": "Deny",
	"Resource": "*"
	},
	{
	"Sid": "RestrictApiGatewaySensitiveDataReadActions",
	"Action": [
	"apigateway:GET"
	],
	"Effect": "Deny",
	"Resource": [
	"arn:aws:apigateway:*::/apikeys",
	"arn:aws:apigateway:::/apikeys/",
	"arn:aws:apigateway:*::/clientcertificates",
	"arn:aws:apigateway:::/clientcertificates/"
	]
	}
	]
	}