talentdeficit · July 14, 2017 16:34
diff --git a/iam_access_roles.yaml b/iam_access_roles.yaml
 ---
  ## aws access roles
  ##
  ## roles that can be assumed by users to grant various levels of access to the
  ## account
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "account access roles"
  Parameters:
    AccountId:
      Description: "the account id from which permitted user accounts may assume these roles"
      Type: "String"
  Resources:
    AdminRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            { "Effect": "Allow"
            , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
            , "Action": "sts:AssumeRole"
            , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
            }
          }
        ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
        RoleName: "admin"
    PowerUserRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            { "Effect": "Allow"
            , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
            , "Action": "sts:AssumeRole"
            , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
            }
          }
        ManagedPolicyArns: [ "arn:aws:iam::aws:policy/PowerUserAccess" ]
        RoleName: "poweruser"
    DevRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            { "Effect": "Allow"
            , "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
            , "Action": "sts:AssumeRole"
            , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
            }
          }
        ManagedPolicyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]
        RoleName: "developer"
diff --git a/iam_group_associations.yaml b/iam_group_associations.yaml
 ---
  ## iam group that grants the ability to assume a single role
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "account access groups"
  Parameters:
    Name:
      Description: "the name of the group"
      Type: "String"
    Role:
      Description: "the role to grant the ability to assume"
      Type: "String"
  Resources:
    Group:
      Type: "AWS::IAM::Group"
      Properties:
        GroupName: { "Ref": "Name" }
        Policies:
          [ { "PolicyName": "AssumeRole"
            , "PolicyDocument":
              { "Version": "2012-10-17"
              , "Statement":
                { "Effect": "Allow"
                , "Resource": { "Ref": "Role" }
                , "Action": [ "sts:AssumeRole" ]
                }
              }
            }
          ]
diff --git a/iam_user_management.yaml b/iam_user_management.yaml
 ---
  ## iam policies and groups to allow users to self manage passwords, iam keys
  ## and mfa devices
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "iam policies and groups for user management"
  Resources:
    PasswordManagement:
      Type: "AWS::IAM::Group"
      Properties:
        ManagedPolicyArns: [ {"Ref": "PasswordManagementPerms" } ]
    PasswordManagementPerms:
      Type: "AWS::IAM::ManagedPolicy"
      Properties:
        Description: "permissions for users to manage their own passwords"
        PolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            [ { "Effect": "Allow"
              , "Action":
                [ "iam:ListAccount*"
                , "iam:GetAccountSummary"
                , "iam:GetAccountPasswordPolicy"
                , "iam:ListUsers"
                ]
              , "Resource": "*"
              }
            , { "Effect": "Allow"
              , "Action":
                [ "iam:*LoginProfile"
                , "iam:*AccessKey*"
                , "iam:*SSHPublicKey*"
                ]
              , "Resource": { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
              }
            ]
          }
    MFAManagement:
      Type: "AWS::IAM::Group"
      Properties:
        ManagedPolicyArns: [ { "Ref": "MFAManagementPerms" } ]
    MFAManagementPerms:
      Type: "AWS::IAM::ManagedPolicy"
      Properties:
        PolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            [ { "Effect": "Allow"
              , "Action":
                [ "iam:CreateVirtualMFADevice"
                , "iam:EnableMFADevice"
                , "iam:ResyncMFADevice"
                , "iam:DeleteVirtualMFADevice"
                ]
              , "Resource":
                [ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" }
                , { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
                ]
              }
            , { "Effect": "Allow"
              , "Action": [ "iam:DeactivateMFADevice" ]
              , "Resource":
                [ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" }
                , { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
                ]
              , "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } }
              }
            , { "Effect": "Allow"
              , "Action":
                [ "iam:ListMFADevices"
                , "iam:ListVirtualMFADevices"
                , "iam:ListUsers"
                ]
              , "Resource": "*"
              }
            ]
          }
  Outputs:
    MFAGroup:
      Description: "arn of group to join to get permission to manage mfa devices"
      Value: { "Ref": "MFAManagement" }
      Export:
        Name: { "Fn::Sub" : "${AWS::StackName}-mfa-users-group" }
    PasswordGroup:
      Description: "arn of group to join to get permission to manage passwords"
      Value: { "Ref": "PasswordManagement" }
      Export:
        Name: { "Fn::Sub" : "${AWS::StackName}-password-users-group" }
	---
	## aws access roles
	##
	## roles that can be assumed by users to grant various levels of access to the
	## account
	AWSTemplateFormatVersion: "2010-09-09"
	Description: "account access roles"
	Parameters:
	AccountId:
	Description: "the account id from which permitted user accounts may assume these roles"
	Type: "String"
	Resources:
	AdminRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	{ "Effect": "Allow"
	, "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
	, "Action": "sts:AssumeRole"
	, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
	}
	}
	ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
	RoleName: "admin"
	PowerUserRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	{ "Effect": "Allow"
	, "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
	, "Action": "sts:AssumeRole"
	, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
	}
	}
	ManagedPolicyArns: [ "arn:aws:iam::aws:policy/PowerUserAccess" ]
	RoleName: "poweruser"
	DevRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	{ "Effect": "Allow"
	, "Principal": { "AWS": { 'Fn::Sub': "arn:aws:iam::${AccountId}:root" } }
	, "Action": "sts:AssumeRole"
	, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
	}
	}
	ManagedPolicyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]
	RoleName: "developer"
	---
	## iam group that grants the ability to assume a single role
	AWSTemplateFormatVersion: "2010-09-09"
	Description: "account access groups"
	Parameters:
	Name:
	Description: "the name of the group"
	Type: "String"
	Role:
	Description: "the role to grant the ability to assume"
	Type: "String"
	Resources:
	Group:
	Type: "AWS::IAM::Group"
	Properties:
	GroupName: { "Ref": "Name" }
	Policies:
	[ { "PolicyName": "AssumeRole"
	, "PolicyDocument":
	{ "Version": "2012-10-17"
	, "Statement":
	{ "Effect": "Allow"
	, "Resource": { "Ref": "Role" }
	, "Action": [ "sts:AssumeRole" ]
	}
	}
	}
	]
	---
	## iam policies and groups to allow users to self manage passwords, iam keys
	## and mfa devices
	AWSTemplateFormatVersion: "2010-09-09"
	Description: "iam policies and groups for user management"
	Resources:
	PasswordManagement:
	Type: "AWS::IAM::Group"
	Properties:
	ManagedPolicyArns: [ {"Ref": "PasswordManagementPerms" } ]
	PasswordManagementPerms:
	Type: "AWS::IAM::ManagedPolicy"
	Properties:
	Description: "permissions for users to manage their own passwords"
	PolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	[ { "Effect": "Allow"
	, "Action":
	[ "iam:ListAccount*"
	, "iam:GetAccountSummary"
	, "iam:GetAccountPasswordPolicy"
	, "iam:ListUsers"
	]
	, "Resource": "*"
	}
	, { "Effect": "Allow"
	, "Action":
	[ "iam:*LoginProfile"
	, "iam:AccessKey"
	, "iam:SSHPublicKey"
	]
	, "Resource": { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
	}
	]
	}
	MFAManagement:
	Type: "AWS::IAM::Group"
	Properties:
	ManagedPolicyArns: [ { "Ref": "MFAManagementPerms" } ]
	MFAManagementPerms:
	Type: "AWS::IAM::ManagedPolicy"
	Properties:
	PolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	[ { "Effect": "Allow"
	, "Action":
	[ "iam:CreateVirtualMFADevice"
	, "iam:EnableMFADevice"
	, "iam:ResyncMFADevice"
	, "iam:DeleteVirtualMFADevice"
	]
	, "Resource":
	[ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" }
	, { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
	]
	}
	, { "Effect": "Allow"
	, "Action": [ "iam:DeactivateMFADevice" ]
	, "Resource":
	[ { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:mfa/${!aws:username}" }
	, { 'Fn::Sub': "arn:aws:iam::${AWS::AccountId}:user/${!aws:username}" }
	]
	, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } }
	}
	, { "Effect": "Allow"
	, "Action":
	[ "iam:ListMFADevices"
	, "iam:ListVirtualMFADevices"
	, "iam:ListUsers"
	]
	, "Resource": "*"
	}
	]
	}
	Outputs:
	MFAGroup:
	Description: "arn of group to join to get permission to manage mfa devices"
	Value: { "Ref": "MFAManagement" }
	Export:
	Name: { "Fn::Sub" : "${AWS::StackName}-mfa-users-group" }
	PasswordGroup:
	Description: "arn of group to join to get permission to manage passwords"
	Value: { "Ref": "PasswordManagement" }
	Export:
	Name: { "Fn::Sub" : "${AWS::StackName}-password-users-group" }