Last active
June 16, 2017 19:01
-
-
Save talentdeficit/2f3798d338f77c37cda513267d728fa9 to your computer and use it in GitHub Desktop.
aws iam user self management policies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| ## aws access roles | |
| ## | |
| ## roles that can be assumed by users to grant various levels of access to the | |
| ## account | |
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: "account access roles" | |
| Parameters: | |
| AccountId: | |
| Description: "the account id from which permitted user accounts may assume these roles" | |
| Type: "String" | |
| Resources: | |
| AdminRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| { "Version": "2012-10-17" | |
| , "Statement": | |
| { "Effect": "Allow" | |
| , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } } | |
| , "Action": "sts:AssumeRole" | |
| , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } | |
| } | |
| } | |
| ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ] | |
| RoleName: "admin" | |
| PowerUserRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| { "Version": "2012-10-17" | |
| , "Statement": | |
| { "Effect": "Allow" | |
| , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } } | |
| , "Action": "sts:AssumeRole" | |
| , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } | |
| } | |
| } | |
| ManagedPolicyArns: [ "arn:aws:iam::aws:policy/PowerUserAccess" ] | |
| RoleName: "poweruser" | |
| OperatorRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| { "Version": "2012-10-17" | |
| , "Statement": | |
| { "Effect": "Allow" | |
| , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } } | |
| , "Action": "sts:AssumeRole" | |
| , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } | |
| } | |
| } | |
| ManagedPolicyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ] | |
| RoleName: "operator" | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| ## iam policies and groups to allow users to self manage passwords, iam keys | |
| ## and mfa devices | |
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: "iam policies and groups for user management" | |
| Resources: | |
| PasswordManagement: | |
| Type: "AWS::IAM::Group" | |
| Properties: | |
| ManagedPolicyArns: [ {"Ref": "PasswordManagementPerms" } ] | |
| PasswordManagementPerms: | |
| Type: "AWS::IAM::ManagedPolicy" | |
| Properties: | |
| Description: "permissions for users to manage their own passwords" | |
| PolicyDocument: | |
| { "Version": "2012-10-17" | |
| , "Statement": | |
| [ { "Effect": "Allow" | |
| , "Action": | |
| [ "iam:ListAccount*" | |
| , "iam:GetAccountSummary" | |
| , "iam:GetAccountPasswordPolicy" | |
| , "iam:ListUsers" | |
| ] | |
| , "Resource": "*" | |
| } | |
| , { "Effect": "Allow" | |
| , "Action": | |
| [ "iam:*LoginProfile" | |
| , "iam:*AccessKey*" | |
| , "iam:*SSHPublicKey*" | |
| ] | |
| , "Resource": { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" } | |
| } | |
| ] | |
| } | |
| MFAManagement: | |
| Type: "AWS::IAM::Group" | |
| Properties: | |
| ManagedPolicyArns: [ { "Ref": "MFAManagementPerms" } ] | |
| MFAManagementPerms: | |
| Type: "AWS::IAM::ManagedPolicy" | |
| Properties: | |
| PolicyDocument: | |
| { "Version": "2012-10-17" | |
| , "Statement": | |
| [ { "Effect": "Allow" | |
| , "Action": | |
| [ "iam:CreateVirtualMFADevice" | |
| , "iam:EnableMFADevice" | |
| , "iam:ResyncMFADevice" | |
| , "iam:DeleteVirtualMFADevice" | |
| ] | |
| , "Resource": | |
| [ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" } | |
| , { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" } | |
| ] | |
| } | |
| , { "Effect": "Allow" | |
| , "Action": [ "iam:DeactivateMFADevice" ] | |
| , "Resource": | |
| [ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" } | |
| , { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" } | |
| ] | |
| , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } } | |
| } | |
| , { "Effect": "Allow" | |
| , "Action": | |
| [ "iam:ListMFADevices" | |
| , "iam:ListVirtualMFADevices" | |
| , "iam:ListUsers" | |
| ] | |
| , "Resource": "*" | |
| } | |
| ] | |
| } | |
| Outputs: | |
| MFAGroup: | |
| Description: "arn of group to join to get permission to manage mfa devices" | |
| Value: { "Ref": "MFAManagement" } | |
| Export: | |
| Name: { "Fn::Sub" : "${AWS::StackName}-mfa-users-group" } | |
| PasswordGroup: | |
| Description: "arn of group to join to get permission to manage passwords" | |
| Value: { "Ref": "PasswordManagement" } | |
| Export: | |
| Name: { "Fn::Sub" : "${AWS::StackName}-password-users-group" } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment