From 4ed046b34a2b35720a81b00b2c7f72a769386971 Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Wed, 27 Mar 2024 22:53:33 +0530 Subject: [PATCH 1/8] Update restricted-policy-1.json5 Adding policy changes for Start/Stop EKS RDS start/stop/describe Autoscaling describe --- aws-iam-policies/generated/restricted-policy-1.json5 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aws-iam-policies/generated/restricted-policy-1.json5 b/aws-iam-policies/generated/restricted-policy-1.json5 index 936997b..d523166 100644 --- a/aws-iam-policies/generated/restricted-policy-1.json5 +++ b/aws-iam-policies/generated/restricted-policy-1.json5 @@ -8,10 +8,14 @@ "acm:DeleteCertificate", "autoscaling:SuspendProcesses", "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DescribeAutoScalingGroups", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "elasticfilesystem:PutFileSystemPolicy", "rds:DeleteDBInstance", + "rds:StartDBInstance", + "rds:StopDBInstance", + "rds:DescribeDBInstances", "rds:DeleteDBSecurityGroup", "rds:DeleteDBSubnetGroup", "ec2:DeleteKeypair" @@ -162,4 +166,4 @@ "Resource": "*" } ] -} \ No newline at end of file +} From 8f6c5ce44cbda7e97abcddca56921064221f3ae3 Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Wed, 27 Mar 2024 23:01:47 +0530 Subject: [PATCH 2/8] Update reduced-permissions-mode.json --- aws-iam-policies/reduced-permissions-mode.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aws-iam-policies/reduced-permissions-mode.json b/aws-iam-policies/reduced-permissions-mode.json index 0d0a069..6162c96 100644 --- a/aws-iam-policies/reduced-permissions-mode.json +++ b/aws-iam-policies/reduced-permissions-mode.json @@ -13,9 +13,13 @@ "Action": [ "autoscaling:SuspendProcesses", "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DescribeAutoScalingGroups", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", - "ec2:DeleteKeyPair" + "ec2:DeleteKeyPair", + "rds:StartDBInstance", + "rds:StopDBInstance", + "rds:DescribeDBInstances" ], "Resource": "*", "Condition": { From 39bb899268419082fedd0734b8df7d86142925fd Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Mon, 1 Apr 2024 23:55:42 +0530 Subject: [PATCH 3/8] Update restricted-policy-doc-1.json5 --- .../docs/restricted-policy-doc-1.json5 | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/aws-iam-policies/docs/restricted-policy-doc-1.json5 b/aws-iam-policies/docs/restricted-policy-doc-1.json5 index e59d473..0c24210 100644 --- a/aws-iam-policies/docs/restricted-policy-doc-1.json5 +++ b/aws-iam-policies/docs/restricted-policy-doc-1.json5 @@ -293,6 +293,23 @@ // Upgrade needs old/new instance status ], "Resource": "*" + }, + { + "Sid": "StartStopRDS", + "Effect": "Allow", + "Action": [ + "rds:StartDBInstance", + // Stop RDS Instance while stopping the cluster + "rds:StopDBInstance", + // Start RDS Instance while starting the cluster + "rds:DescribeDBInstances" + // Describe RDBS (postgres) instance created by + // cf, used to detect quota of DB instance + ], + "Resource": [ + "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", + "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" + ] } ] -} \ No newline at end of file +} From 4330832835fefa794ac41d62c2407d6fcaddd099 Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Tue, 2 Apr 2024 02:48:57 +0530 Subject: [PATCH 4/8] Update restricted-policy-doc-2.json5 --- aws-iam-policies/docs/restricted-policy-doc-2.json5 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5 index 0c193b8..9e9325e 100644 --- a/aws-iam-policies/docs/restricted-policy-doc-2.json5 +++ b/aws-iam-policies/docs/restricted-policy-doc-2.json5 @@ -130,9 +130,6 @@ "rds:CreateDBInstance", // The RDBS (postgres) created to store dwx // cluster info during activation - "rds:DescribeDBInstances", - // Describe RDBS (postgres) instance created by - // cf, used to detect quota of DB instance "rds:CreateDBSubnetGroup", // The DBSubnetGroup created during activation "rds:DescribeDBSubnetGroups", @@ -256,4 +253,4 @@ } } ] -} \ No newline at end of file +} From c907db40adeb3fcb4a5c43be7fb0968c589f925d Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Tue, 2 Apr 2024 02:51:46 +0530 Subject: [PATCH 5/8] Update reduced-permissions-mode.json --- aws-iam-policies/reduced-permissions-mode.json | 1 - 1 file changed, 1 deletion(-) diff --git a/aws-iam-policies/reduced-permissions-mode.json b/aws-iam-policies/reduced-permissions-mode.json index 6162c96..34e2d96 100644 --- a/aws-iam-policies/reduced-permissions-mode.json +++ b/aws-iam-policies/reduced-permissions-mode.json @@ -13,7 +13,6 @@ "Action": [ "autoscaling:SuspendProcesses", "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DescribeAutoScalingGroups", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "ec2:DeleteKeyPair", From 092bc2333d12aa9a5036225ac25a284b5a2a65c1 Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Tue, 2 Apr 2024 02:53:41 +0530 Subject: [PATCH 6/8] Update restricted-policy-1.json5 --- aws-iam-policies/generated/restricted-policy-1.json5 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/aws-iam-policies/generated/restricted-policy-1.json5 b/aws-iam-policies/generated/restricted-policy-1.json5 index d523166..c929d62 100644 --- a/aws-iam-policies/generated/restricted-policy-1.json5 +++ b/aws-iam-policies/generated/restricted-policy-1.json5 @@ -8,14 +8,10 @@ "acm:DeleteCertificate", "autoscaling:SuspendProcesses", "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DescribeAutoScalingGroups", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "elasticfilesystem:PutFileSystemPolicy", "rds:DeleteDBInstance", - "rds:StartDBInstance", - "rds:StopDBInstance", - "rds:DescribeDBInstances", "rds:DeleteDBSecurityGroup", "rds:DeleteDBSubnetGroup", "ec2:DeleteKeypair" From f4255a1a228e5be7a083cfc4e19cb2988f831a21 Mon Sep 17 00:00:00 2001 From: Ashish Pani Date: Tue, 2 Apr 2024 03:25:13 +0530 Subject: [PATCH 7/8] Update reduced-permissions-mode.json --- aws-iam-policies/reduced-permissions-mode.json | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/aws-iam-policies/reduced-permissions-mode.json b/aws-iam-policies/reduced-permissions-mode.json index 34e2d96..3e0dc2b 100644 --- a/aws-iam-policies/reduced-permissions-mode.json +++ b/aws-iam-policies/reduced-permissions-mode.json @@ -15,10 +15,7 @@ "autoscaling:UpdateAutoScalingGroup", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", - "ec2:DeleteKeyPair", - "rds:StartDBInstance", - "rds:StopDBInstance", - "rds:DescribeDBInstances" + "ec2:DeleteKeyPair" ], "Resource": "*", "Condition": { @@ -151,6 +148,19 @@ "s3:PutObjectAcl" ], "Resource": "*" + }, + { + "Sid": "StartStopRDS", + "Effect": "Allow", + "Action": [ + "rds:StartDBInstance", + "rds:StopDBInstance", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", + "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" + ] } ] } From 74ae652ba7620162fc10fa80ee17d0cb7ba0d4bb Mon Sep 17 00:00:00 2001 From: apani Date: Tue, 2 Apr 2024 03:53:58 +0530 Subject: [PATCH 8/8] reverting generated changes --- aws-iam-policies/generated/restricted-policy-1.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-iam-policies/generated/restricted-policy-1.json5 b/aws-iam-policies/generated/restricted-policy-1.json5 index c929d62..936997b 100644 --- a/aws-iam-policies/generated/restricted-policy-1.json5 +++ b/aws-iam-policies/generated/restricted-policy-1.json5 @@ -162,4 +162,4 @@ "Resource": "*" } ] -} +} \ No newline at end of file