tomvachon · August 16, 2017 11:16 · osterman · Mar 1, 2019
diff --git a/stack.yml b/stack.yml
 Type: AWS::IAM::ManagedPolicy
 Properties:
  Description: AWS Policy for EC2 Instance, EBS Creation with Tagging required
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      # This allows the untaggable calls to work when RunInstances is the actor
      -
        Effect: Allow
        Action:
          - ec2:RunInstances
        Resource:
           - arn:aws:ec2:us-east-1::image/*
           - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:subnet/*
           - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:network-interface/*
           - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:security-group/*
           - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:key-pair/*
      # This allows the user to make these two calls on their account if: 
      # 1) They specify assetid and it matches a parameter in the stack (tied to the role they assumed)
      # 2) They specify an environment and it matches a parameter in the stack (tied to the role they assumed)
      # 
      # If either of the above are not true, it will 403 them at the end of their workflow
      -
        Effect: Allow
        Action:
          - ec2:RunInstances
          - ec2:CreateVolume
        Resource:
          - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:volume/*
          - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:instance/*
        Condition:
          StringEquals:
            aws:RequestTag/assetid:
              Ref: AssetId
            aws:RequestTag/environment:
              Ref: AppEnv
          ForAllValues:StringEquals:
            aws:TagKeys:
              - assetid
              - environment
      # This allows the createTags call from RunInstances, 
      # combining this with the CreateVolume call seems to be weirdly problematic
      -
        Effect: Allow
        Action:
          - ec2:CreateTags
        Resource:
          - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:*/*
        Condition:
          StringEquals:
           ec2:CreateAction:
             - RunInstances
      # This allows the createTags call from CreateVolume, 
      # combining this with the RunInstances call seems to be weirdly problematic
      -
        Effect: Allow
        Action:
          - ec2:CreateTags
        Resource:
          - Fn::Sub: arn:aws:ec2:*:${AWS::AccountId}:*/*
        Condition:
          StringEquals:
           ec2:CreateAction:
             - CreateVolume
      # This allows similar actions on autoscaling but needs more testing
      -
        Effect: Allow
        Action:
          - autoscaling:Create*
        Resource:
          - "*"
        Condition:
          StringEquals:
            aws:RequestTag/assetid:
              Ref: AssetId
            aws:RequestTag/environment:
              Ref: AppEnv
          ForAllValues:StringEquals:
            aws:TagKeys:
              - assetid
              - environment
        # This policy allows the user to create security groups with no tags
        # as it does not support the hooks
        -
          Effect: Allow
          Action:
            - ec2:CreateSecurityGroup
          Resource:
            - "*"
        # To ensure that security groups are created and tagged properly, this
        # requires that the group is tagged before rules are added or revoked
        -
          Effect: Allow
          Action:
            - ec2:AuthorizeSecurityGroup*
            - ec2:RevokeSecurityGroup*      
          Resource:
            - "*"
          Condition:
            StringEquals:
              ec2:ResourceTag/assetid:
                Ref: AssetId
              aws:RequestTag/environment:
                Ref: AppEnv
        # This rule prevents tampering with the two key'ed K/V tags used for the 
        # restriction.  If this was not in place they would be able to change the tags
        # after the fact and then they would loose access to it.
        -
          Effect: Deny
          Action:
            - ec2:CreateTags
          Resource:
            - "*"
          Condition:
            ForAllValues:StringEquals:
              aws:TagKeys:
                - assetid
                - environment
            ForAnyValue:StringNotEquals:
             ec2:CreateAction:
               - RunInstances
               - CreateVolume
	Type: AWS::IAM::ManagedPolicy
	Properties:
	Description: AWS Policy for EC2 Instance, EBS Creation with Tagging required
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	# This allows the untaggable calls to work when RunInstances is the actor
	-
	Effect: Allow
	Action:
	- ec2:RunInstances
	Resource:
	- arn:aws:ec2:us-east-1::image/*
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:subnet/
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:network-interface/
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:security-group/
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:key-pair/
	# This allows the user to make these two calls on their account if:
	# 1) They specify assetid and it matches a parameter in the stack (tied to the role they assumed)
	# 2) They specify an environment and it matches a parameter in the stack (tied to the role they assumed)
	#
	# If either of the above are not true, it will 403 them at the end of their workflow
	-
	Effect: Allow
	Action:
	- ec2:RunInstances
	- ec2:CreateVolume
	Resource:
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:volume/
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:instance/
	Condition:
	StringEquals:
	aws:RequestTag/assetid:
	Ref: AssetId
	aws:RequestTag/environment:
	Ref: AppEnv
	ForAllValues:StringEquals:
	aws:TagKeys:
	- assetid
	- environment
	# This allows the createTags call from RunInstances,
	# combining this with the CreateVolume call seems to be weirdly problematic
	-
	Effect: Allow
	Action:
	- ec2:CreateTags
	Resource:
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:/*
	Condition:
	StringEquals:
	ec2:CreateAction:
	- RunInstances
	# This allows the createTags call from CreateVolume,
	# combining this with the RunInstances call seems to be weirdly problematic
	-
	Effect: Allow
	Action:
	- ec2:CreateTags
	Resource:
	- Fn::Sub: arn:aws:ec2::${AWS::AccountId}:/*
	Condition:
	StringEquals:
	ec2:CreateAction:
	- CreateVolume
	# This allows similar actions on autoscaling but needs more testing
	-
	Effect: Allow
	Action:
	- autoscaling:Create*
	Resource:
	- "*"
	Condition:
	StringEquals:
	aws:RequestTag/assetid:
	Ref: AssetId
	aws:RequestTag/environment:
	Ref: AppEnv
	ForAllValues:StringEquals:
	aws:TagKeys:
	- assetid
	- environment
	# This policy allows the user to create security groups with no tags
	# as it does not support the hooks
	-
	Effect: Allow
	Action:
	- ec2:CreateSecurityGroup
	Resource:
	- "*"
	# To ensure that security groups are created and tagged properly, this
	# requires that the group is tagged before rules are added or revoked
	-
	Effect: Allow
	Action:
	- ec2:AuthorizeSecurityGroup*
	- ec2:RevokeSecurityGroup*
	Resource:
	- "*"
	Condition:
	StringEquals:
	ec2:ResourceTag/assetid:
	Ref: AssetId
	aws:RequestTag/environment:
	Ref: AppEnv
	# This rule prevents tampering with the two key'ed K/V tags used for the
	# restriction. If this was not in place they would be able to change the tags
	# after the fact and then they would loose access to it.
	-
	Effect: Deny
	Action:
	- ec2:CreateTags
	Resource:
	- "*"
	Condition:
	ForAllValues:StringEquals:
	aws:TagKeys:
	- assetid
	- environment
	ForAnyValue:StringNotEquals:
	ec2:CreateAction:
	- RunInstances
	- CreateVolume