From ca02a468e30942f7a6db06c33f3e64fe3204cf72 Mon Sep 17 00:00:00 2001 From: Roohi Date: Tue, 28 Nov 2023 13:26:04 -0800 Subject: [PATCH] First commit of all files --- .../workflows/commit-policy-no-comments.yml | 27 ++ .../docs/restricted-policy-doc-1.json5 | 296 ++++++++++++++++++ .../docs/restricted-policy-doc-2.json5 | 264 ++++++++++++++++ .../managedArn-node-inline-policy.json | 284 +++++++++++++++++ .../reduced-permissions-mode.json | 147 +++++++++ aws-iam-policies/restricted-policy-1.json5 | 164 ++++++++++ aws-iam-policies/restricted-policy-2.json5 | 182 +++++++++++ .../restricted-policy-managedARN-1.json5 | 163 ++++++++++ .../restricted-policy-managedARN-2.json5 | 182 +++++++++++ main.py | 22 ++ 10 files changed, 1731 insertions(+) create mode 100644 .github/workflows/commit-policy-no-comments.yml create mode 100644 aws-iam-policies/docs/restricted-policy-doc-1.json5 create mode 100644 aws-iam-policies/docs/restricted-policy-doc-2.json5 create mode 100644 aws-iam-policies/managedArn-node-inline-policy.json create mode 100644 aws-iam-policies/reduced-permissions-mode.json create mode 100644 aws-iam-policies/restricted-policy-1.json5 create mode 100644 aws-iam-policies/restricted-policy-2.json5 create mode 100644 aws-iam-policies/restricted-policy-managedARN-1.json5 create mode 100644 aws-iam-policies/restricted-policy-managedARN-2.json5 create mode 100644 main.py diff --git a/.github/workflows/commit-policy-no-comments.yml b/.github/workflows/commit-policy-no-comments.yml new file mode 100644 index 0000000..b7a0d9d --- /dev/null +++ b/.github/workflows/commit-policy-no-comments.yml @@ -0,0 +1,27 @@ +name: commit policy removing comments +on: + push: + branches: + - 'master' + paths: + - 'aws-iam-policies/doc/*-doc-*.json5' +jobs: + testJob: + name: Test + runs-on: self-hosted + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' + - run: + pip install json5 + - run: python3 main.py ${{ steps.modifieddocfiles.outputs.added_modified }} + - name: commit files + run: | + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + git add -A + git diff-index --quiet HEAD || (git commit -a -m "Remove comments and commit json file" --allow-empty) + git push -f + diff --git a/aws-iam-policies/docs/restricted-policy-doc-1.json5 b/aws-iam-policies/docs/restricted-policy-doc-1.json5 new file mode 100644 index 0000000..d84df7b --- /dev/null +++ b/aws-iam-policies/docs/restricted-policy-doc-1.json5 @@ -0,0 +1,296 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ResourceTag", + // Control access to AWS serviceresources based on + // resource tags using ResourceTag/key-name + // condition key to allow access to resource or not + // based on resource tagging + // new + "Effect": "Allow", + "Action": [ + "acm:DeleteCertificate", + // Delete certificate attached to ELB + // created/deleted with cloudformation stack + "autoscaling:SuspendProcesses", + // Suspend AZRebalance for autoscaling group; + // include AZRebalance; cannot suspend + // AZRebalance in cloudformation; edit/update + // ASGs with AWS API to avoid AWS re-balancing + // nodes for AZ (most nodes run in + // stateful/critical pods) + "autoscaling:UpdateAutoScalingGroup", + // Calico overlaynetwork option requires no EKS + // nodes up on installation; with CF stack + // creation 3 nodes start up, autoscaling group + // updates desired capacity to Zero via AWS API; + // need latest SSH key from CloudBreak for EKS + // node updates; new Launch template passes + // SSH key and updates in ASG + "cloudformation:DeleteStack", + // Delete the cf stack created + "cloudformation:DescribeStackEvents", + // Get cf stack events, identify cause of failed + // cf stack creation failure + "elasticfilesystem:PutFileSystemPolicy", + // While creating EFS Filesystem give + // permission to attach FileSystem Policy + // for Client access via MountTarget and + // Encryption In transit + "rds:DeleteDBInstance", + // Delete DB instance used to store + // Metastore/Hive/Impala/Hue query data + "rds:DeleteDBSecurityGroup", + // Delete DB security group created via cf + "rds:DeleteDBSubnetGroup", + // Delete DB Subnet group created via cf + "ec2:DeleteKeypair" + // Delete keypair while deactivating CDW + // needed if CB env ssh is not reused + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "RequestTag", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + //Create autoscaling groups for cluster + "cloudformation:CreateStack", + // Activate createstack mainly with + // cloudformation + "eks:TagResource", + // Tag eks cluster, e.g.: clusterId, + // envId, clustername, accountId... + "elasticfilesystem:CreateFileSystem", + // Create efs storage to be used by hive and + // Prometheus + "kms:CreateGrant", + // Use KMS keys in cryptographic + // operations, e.g. in ebs + "kms:CreateKey", + // During activation KMSKey created with cf + "rds:AddTagsToResource", + // In CF when creating RDS instance tag created + // with stack information adds metadata tags to + // Amazon RDS resource for use with cost + // allocation reporting to track cost of Amazon + // resources or to use in Condition statement + // of IAM policy for Amazon RDS + "cloudformation:UpdateStack" + // Update Custom AMI, upgrade EKS + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "AttachRole", + "Effect": "Allow", + "Action": "iam:AttachRolePolicy", + // Attach AWS managed policy ARNs to + // NodeInstance and EKS Service Roles + // See footnote 1. + "Resource": [ + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ], + "Condition": { + "ForAnyValue:ArnEqualsIfExists": { + "iam:PolicyARN": [ + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", + "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy" + ] + } + } + }, + { + "Sid": "Role", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + // Adds Node Instance IAM role to Ec2 + // Node instance profile + "iam:CreateInstanceProfile", + // Creates Node Instance Profile + "iam:CreateRole", + // Creates Node Instance and EKS Service Roles + "iam:DeleteInstanceProfile", + // Delete Node Instance Profile at + // deactivation via cf stack creation + "iam:DeleteRole", + // Delete Node Instance and EKS Service + // Roles at deactivation + "iam:DeleteRolePolicy", + // Delete inline policies like efs, ebs, + // cluster-autoscaler etc created/attached + // to Node instance role at deactivation + "iam:DetachRolePolicy", + // Detach managed policy ARNs attached to Node + // Instance and EKS Service IAM roles at + // deactivation + "iam:GetRole", + // Retrieve details about Node Instance and EKS + // service IAM roles, recursively called by cf + "iam:GetRolePolicy", + // Get inline policy attached to Node Instance + // role + "iam:PassRole", + // Required permission to assign Node instance + // role to Ec2 Node instance profile + "iam:PutRolePolicy", + // Add inline policies like efs, ebs, + // cluster-autoscaler to Node Instance Role + "iam:RemoveRoleFromInstanceProfile" + //Removes IAM role from EC2 instance profile + ], + "Resource": [ + "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ] + }, + { + "Sid": "gocode", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + // ACM validation adds DNS records + "acm:ListCertificates", + //ACM validation adds DNS records + "ec2:DescribeKeyPairs", + // Validate CB env ssh key pair exists, not + // deleted inbetween; check for duplicate + // keypair in case of CDW created keypair + "ec2:DescribeDhcpOptions", + // See Point 2-3; see footnote 3 + "ec2:DescribeSubnets", + // See Point 4 in footnote 3 URL + "ec2:DescribeVpcs", + // Validate ID of set of DHCP options + // associated with the VPC + "autoscaling:DescribeAutoScalingGroups", + // Get shared services/compute ASGs, update + // as part of AZRebalance + "iam:SimulatePrincipalPolicy", + // Simulate CF stack formation policies + "iam:ListAttachedRolePolicies", + // List policies attached to Ranger RAZ + // role; attach to NodeInstanceRole for + // S3 access if RAZ enabled and also to add cloudwatch access + "ec2:DescribeVpcAttribute", + // Validate enableDnsHostnames and + // enableDnsSupport VPC attributes; + // see 1 and 3 points in footnote 3 URL + "ec2:DescribeImages", + "ec2:CreateTags", + // Tag subnets and eks security group + // See footnote 2 + "ec2:CreateKeyPair" + // Create ssh Public key pair, pass to ec2 + // instances. Not required if passed/set/ + // reused via CB + ], + "Resource": "*" + }, + { + "Sid": "gocodeStack", + "Effect": "Allow", + "Action": [ + "cloudformation:DescribeStacks" + // Check the status of stack--error or + // completed, then install helm charts + ], + "Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*" + }, + { + "Sid": "gocodeEKSCluster", + "Effect": "Allow", + "Action": [ + "eks:UpdateClusterConfig", + // Update EKScluster config Enable + // Private EKS and Cloudwatch on EKS + "eks:UpdateClusterVersion", + // Updates an Amazon EKS cluster to + // the specified Kubernetes version. + "eks:DescribeUpdate" + // Check status of Updates--enable + // Private EKS and Cloudwatch on EKS + ], + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks" + }, + { + "Sid": "S3full", + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation" + // Needed for external bucket feature + // via UI, where we validate the VPC + // and bucket region are the same + ], + "Resource": "*" + }, + { + "Sid": "S3PutGetObject", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + // Put cf template in SDX bucket + "s3:GetObject" + // Get cf template while cf stack creation may + // not be needed for reduced mode + ], + "Resource": [ + "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" + ] + }, + { + "Sid": "UpgradeCfStack", + "Effect": "Allow", + "Action": [ + "cloudformation:GetTemplate", + // EKS upgrade gets Cloudformation + // template body and makew changes + "cloudformation:GetTemplateSummary", + // EKS upgrade loads CF template + // parameters to call method, then + // needs the permission + "eks:ListUpdates", + // Identifies resources related to eks change + "ec2:CreateLaunchTemplateVersion", + // launchTemplate cannot be changed, + // only new versions can be added + "autoscaling:TerminateInstanceInAutoScalingGroup", + // Upgrade terminates instances in old + // autoscalinggroup + "autoscaling:DescribeScheduledActions", + // Updatestack in control of instances + // of cluster autoscalinggroup, has permission + // to get status of group + "autoscaling:SetDesiredCapacity", + // DesiredCapacity can be changed with upgrade; + // will be set each time nodegroup is changed; + // nodegroup changes when related launchtemplate + // changes with new version of eks ami for + // upgrade, requiring permission + "ec2:DescribeInstances" + // Upgrade needs old/new instance status + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5 new file mode 100644 index 0000000..e2a0e0f --- /dev/null +++ b/aws-iam-policies/docs/restricted-policy-doc-2.json5 @@ -0,0 +1,264 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "cloudformation", + "Effect": "Allow", + "Action": [ + "acm:AddTagsToCertificate", + // Add owner/stack related tags to Certificate + "acm:DescribeCertificate", + // Describe Certificate created by cf to check + // the certification status during activation + "acm:RequestCertificate", + // Requests ACM certificate for dwx + "autoscaling:DescribeScalingActivities", + // When dwx scales up/down AutoScalingGroups + // dwx must check ASG activity status + "ec2:CreateLaunchTemplate", + // LaunchTemplate creates EC2 instances used + // by DWX + "ec2:CreatePlacementGroup", + // Placement groups launch EC2 instances in + // physical proximity within same AZ + "ec2:CreateSecurityGroup", + // Create Security Groups for EC2 instance + "ec2:DescribeAccountAttributes", + // Lists attributes for customer account that + // might be needed by cf to get quotas like + // vpc-max-security-groups-per-interface + // and supported_platforms + "ec2:DescribeAvailabilityZones", + // DWX query executors deployed among 3 + // availibility zones that need az info + "ec2:DescribeLaunchTemplates", + // Updates sshkey to get old sshkey info from + // ec2 Launch Template + "ec2:DescribeLaunchTemplateVersions", + // Update sshkey using old sshkey info from + // ec2 Launch Template Version + "ec2:DescribePlacementGroups", + // Describes specified placement groups created + // during activation + "ec2:DescribeSecurityGroups", + // Tags the eks security group to get cluster + // security group id + "ec2:RevokeSecurityGroupEgress", + // Revoke SecurityGroupEgress authorized by cf + "ec2:RevokeSecurityGroupIngress", + // Revoke SecurityGroupIngress authorized by cf + "ec2:RunInstances", + //Essential to run the EC2 instance + "ec2:DeleteLaunchTemplate", + // Delete LaunchTemplate created by cf + "ec2:DeletePlacementGroup", + // Delete Placement Groups created by cf + "elasticfilesystem:DescribeMountTargets", + // Called by CF while creating EFS + "elasticfilesystem:DescribeFileSystems" + // Called by CF while creating EFS + ], + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFResourceTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + // Adds outbound rules to security group for + // use with VPC + "ec2:AuthorizeSecurityGroupIngress", + //A dds inbound rules to security group + // for use with VPC + "ec2:RevokeSecurityGroupEgress", + // Revoke SecurityGroupEgress authorized by cf + "ec2:RevokeSecurityGroupIngress", + // Revoke SecurityGroupIngress authorized by cf + "autoscaling:DeleteAutoScalingGroup", + // Delete sharedservices and compute + // autoscaling groups--created/deleted with + // cloudformation stack + "ec2:DeleteSecurityGroup", + // Delete NodeSecurityGroup, + // ClusterControlPlaneSecurityGroup, + // DB Security Group created via cf stack + "eks:DeleteCluster" + // Delete EKS cluster created via cf + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFRequestTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:TagResource", + // Add owner/stack related tags to kms + "logs:CreateLogGroup" + // Create/name cloudwatch log group + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFDatabase", + "Resource": [ + "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", + "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" + ], + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + // The RDBS (postgres) created to store dwx + // cluster info during activation + "rds:DescribeDBInstances", + // Describe RDBS (postgres) instance created by + // cf, used to detect quota of DB instance + "rds:CreateDBSubnetGroup", + // The DBSubnetGroup created during activation + "rds:DescribeDBSubnetGroups", + // Describe DBSubnetGroup instance created by cf + "rds:ListTagsForResource" + // Lists tags on RDS DBsubnetgroup. Required for Cloudformation operations + + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFEksCluster", + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", + "Effect": "Allow", + "Action": [ + "eks:CreateCluster", + // Creates eks cluster upon activation + // that dwx can deploy resources on + "eks:DescribeCluster" + // DWX keeps track of eks cluster created + // during env activation + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFCloudwatch", + "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + // Create log stream of log group that + // originates from monitored application + // or resource + "logs:DescribeLogStreams", + // List log streams for log groups + "logs:PutLogEvents", + // Upload log events to log stream + "logs:PutRetentionPolicy" + // Change number of days Cloudwatch retains + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFKeys", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:CreateAlias", + // kms key id hard to recognize so an alias is + // created, e.g. "env-xxxxxx-dwx-stack-kms-key" + "kms:DeleteAlias", + // Delete the kms alias created by cf + "kms:DescribeKey", + // Describe the KMS key created during + // activation + "kms:EnableKeyRotation", + // Allow rotation of kms key after expiration + "kms:GenerateDataKey", + // Returns unique symmetric data key in plain + // text for use outside AWS KMS + "kms:GenerateDataKeyWithoutPlaintext", + // Return unique symmetric encrypted data key + // for use outside of AWS KMS + "kms:ScheduleKeyDeletion" + // Schedule deletion of KMS key, rotate to new + // key + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFFileSystem", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:CreateMountTarget", + //Create 3 EFS mount targets for 3 AZs + "elasticfilesystem:DeleteFileSystem", + // Delete EFS file system during deactivation via cf + "elasticfilesystem:DeleteMountTarget" + // Delete all the 3 EFS mount targets + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/clusterId": "env-*" + } + } + }, + { + "Sid": "AllowSsmParams", + "Effect": "Allow", + "Action": [ + "ssm:DescribeParameters", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:GetParametersByPath" + // these set of permissions is used by cloudformation + // to obtain the latest AMI during stack create and upgrade + ], + "Resource": [ + "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/managedArn-node-inline-policy.json b/aws-iam-policies/managedArn-node-inline-policy.json new file mode 100644 index 0000000..97c5c0f --- /dev/null +++ b/aws-iam-policies/managedArn-node-inline-policy.json @@ -0,0 +1,284 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "clusterautoscaler", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", //comment 1 + "autoscaling:DescribeAutoScalingInstances", //comment 2 + "autoscaling:DescribeTags", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "ec2:DescribeLaunchTemplateVersions", + "ec2:CreateTags" + ], + "Resource": [ + "*" + ] + }, + { + "Action": [ + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeMountTargets", + "ec2:DescribeAvailabilityZones" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "aws:RequestTag/efs.csi.aws.com/cluster": "true" + } + }, + "Action": [ + "elasticfilesystem:CreateAccessPoint" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Effect": "Allow", + "Action": [ + "elasticfilesystem:TagResource" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:ResourceTag/efs.csi.aws.com/cluster": "true" + } + } + }, + { + "Condition": { + "StringEquals": { + "aws:ResourceTag/efs.csi.aws.com/cluster": "true" + } + }, + "Action": "elasticfilesystem:DeleteAccessPoint", + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ], + "Effect": "Allow" + }, + { + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ], + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + } + }, + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "aws:RequestTag/CSIVolumeName": "*" + } + }, + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "aws:RequestTag/kubernetes.io/cluster/*": "owned" + } + }, + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + }, + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeName": "*" + } + }, + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "ec2:ResourceTag/kubernetes.io/cluster/*": "owned" + } + }, + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + } + }, + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + }, + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:CreateGrant" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Sid": "kms", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDatakey", + "kms:ListAliases", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "limitsmonitoring", + "Effect": "Allow", + "Action": [ + "servicequotas:ListServiceQuotas", + "elasticloadbalancing:DescribeAccountLimits", + "elasticloadbalancing:DescribeLoadBalancers", + "rds:DescribeAccountAttributes", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "listmybuckets", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::${DATALAKE_BUCKET}", + "arn:aws:s3:::${LOGS_BUCKET}", + "arn:aws:s3:::${BACKUP_BUCKET} " + ], + "Effect": "Allow" + }, + { + "Sid": "putgetmybucketpaths", + "Action": [ + "s3:Get*", + "s3:Delete*", + "s3:Put*", + "s3:ListBucketMultipartUploads", + "s3:AbortMultipartUpload" + ], + "Resource": [ + "arn:aws:s3:::${LOGS_BUCKET}/clusters", + "arn:aws:s3:::${LOGS_BUCKET}/clusters/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/clusters", + "arn:aws:s3:::${DATALAKE_BUCKET}/clusters/*", + "arn:aws:s3:::${LOGS_LOCATION_BASE}", + "arn:aws:s3:::${LOGS_LOCATION_BASE}/*", + "arn:aws:s3:::${BACKUP_LOCATION_BASE}", + "arn:aws:s3:::${BACKUP_LOCATION_BASE}/*", + "arn:aws:s3:::${STORAGE_LOCATION_BASE}", + "arn:aws:s3:::${STORAGE_LOCATION_BASE}/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/tmp", + "arn:aws:s3:::${DATALAKE_BUCKET}/tmp/*" + ], + "Effect": "Allow" + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/reduced-permissions-mode.json b/aws-iam-policies/reduced-permissions-mode.json new file mode 100644 index 0000000..337b909 --- /dev/null +++ b/aws-iam-policies/reduced-permissions-mode.json @@ -0,0 +1,147 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "iam:SimulatePrincipalPolicy", + "Resource": "arn:aws:iam::${ACCOUNT_ID}:role/*" + }, + { + "Sid": "ResourceTag", + "Effect": "Allow", + "Action": [ + "autoscaling:SuspendProcesses", + "autoscaling:UpdateAutoScalingGroup", + "cloudformation:DescribeStackEvents", + "cloudformation:DescribeStacks", + "cloudformation:UpdateStack", + "ec2:DeleteKeyPair" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "RequestTag", + "Effect": "Allow", + "Action": [ + "eks:TagResource" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFRequestTag", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + }, + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFEks", + "Effect": "Allow", + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", + "Action": [ + "eks:DescribeCluster" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFCloudwatch", + "Effect": "Allow", + "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", + "Action": [ + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:PutRetentionPolicy" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "gocodeEks", + "Effect": "Allow", + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", + "Action": [ + "eks:DescribeUpdate", + "eks:UpdateClusterConfig", + "eks:UpdateClusterVersion" + ] + }, + { + "Sid": "Role", + "Effect": "Allow", + "Action": [ + "iam:DeleteRolePolicy", + "iam:GetRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": [ + "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ] + }, + { + "Sid": "S3PutGetObject", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" + ] + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "autoscaling:DescribeAutoScalingGroups", + "ec2:CreateKeyPair", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeDhcpOptions", + "ec2:DescribeKeyPairs", + "ec2:DescribeRouteTables", + "ec2:DescribeSubNets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcs", + "iam:ListAttachedRolePolicies", + "iam:SimulatePrincipalPolicy", + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:PutObjectAcl" + ], + "Resource": "*" + } + ] +} diff --git a/aws-iam-policies/restricted-policy-1.json5 b/aws-iam-policies/restricted-policy-1.json5 new file mode 100644 index 0000000..fe141a3 --- /dev/null +++ b/aws-iam-policies/restricted-policy-1.json5 @@ -0,0 +1,164 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ResourceTag", + "Effect": "Allow", + "Action": [ + "acm:DeleteCertificate", + "autoscaling:SuspendProcesses", + "autoscaling:UpdateAutoScalingGroup", + "cloudformation:DeleteStack", + "cloudformation:DescribeStackEvents", + "elasticfilesystem:PutFileSystemPolicy", + "rds:DeleteDBInstance", + "rds:DeleteDBSecurityGroup", + "rds:DeleteDBSubnetGroup", + "ec2:DeleteKeypair" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "RequestTag", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "cloudformation:CreateStack", + "eks:TagResource", + "elasticfilesystem:CreateFileSystem", + "kms:CreateGrant", + "kms:CreateKey", + "rds:AddTagsToResource", + "cloudformation:UpdateStack" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "AttachRole", + "Effect": "Allow", + "Action": "iam:AttachRolePolicy", + "Resource": [ + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ], + "Condition": { + "ForAnyValue:ArnEqualsIfExists": { + "iam:PolicyARN": [ + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", + "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy" + ] + } + } + }, + { + "Sid": "Role", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:CreateRole", + "iam:DeleteInstanceProfile", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ] + }, + { + "Sid": "gocode", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "ec2:DescribeKeyPairs", + "ec2:DescribeDhcpOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "autoscaling:DescribeAutoScalingGroups", + "iam:SimulatePrincipalPolicy", + "iam:ListAttachedRolePolicies", + "ec2:DescribeVpcAttribute", + "ec2:DescribeImages", + "ec2:CreateTags", + "ec2:CreateKeyPair" + ], + "Resource": "*" + }, + { + "Sid": "gocodeStack", + "Effect": "Allow", + "Action": [ + "cloudformation:DescribeStacks" + ], + "Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*" + }, + { + "Sid": "gocodeEKSCluster", + "Effect": "Allow", + "Action": [ + "eks:UpdateClusterConfig", + "eks:UpdateClusterVersion", + "eks:DescribeUpdate" + ], + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks" + }, + { + "Sid": "S3full", + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Sid": "S3PutGetObject", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" + ] + }, + { + "Sid": "UpgradeCfStack", + "Effect": "Allow", + "Action": [ + "cloudformation:GetTemplate", + "cloudformation:GetTemplateSummary", + "eks:ListUpdates", + "ec2:CreateLaunchTemplateVersion", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:DescribeScheduledActions", + "autoscaling:SetDesiredCapacity", + "ec2:DescribeInstances" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-2.json5 b/aws-iam-policies/restricted-policy-2.json5 new file mode 100644 index 0000000..505be73 --- /dev/null +++ b/aws-iam-policies/restricted-policy-2.json5 @@ -0,0 +1,182 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "cloudformation", + "Effect": "Allow", + "Action": [ + "acm:AddTagsToCertificate", + "acm:DescribeCertificate", + "acm:RequestCertificate", + "autoscaling:DescribeScalingActivities", + "ec2:CreateLaunchTemplate", + "ec2:CreatePlacementGroup", + "ec2:CreateSecurityGroup", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribePlacementGroups", + "ec2:DescribeSecurityGroups", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:DeleteLaunchTemplate", + "ec2:DeletePlacementGroup", + "elasticfilesystem:DescribeMountTargets", + "elasticfilesystem:DescribeFileSystems" + ], + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFResourceTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "autoscaling:DeleteAutoScalingGroup", + "ec2:DeleteSecurityGroup", + "eks:DeleteCluster" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFRequestTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:TagResource", + "logs:CreateLogGroup" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFDatabase", + "Resource": [ + "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", + "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" + ], + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:DescribeDBInstances", + "rds:CreateDBSubnetGroup", + "rds:DescribeDBSubnetGroups", + "rds:ListTagsForResource" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFEksCluster", + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", + "Effect": "Allow", + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFCloudwatch", + "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:PutRetentionPolicy" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFKeys", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:CreateAlias", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ScheduleKeyDeletion" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFFileSystem", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:CreateMountTarget", + "elasticfilesystem:DeleteFileSystem", + "elasticfilesystem:DeleteMountTarget" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/clusterId": "env-*" + } + } + }, + { + "Sid": "AllowSsmParams", + "Effect": "Allow", + "Action": [ + "ssm:DescribeParameters", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:GetParametersByPath" + ], + "Resource": [ + "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-managedARN-1.json5 b/aws-iam-policies/restricted-policy-managedARN-1.json5 new file mode 100644 index 0000000..1a58282 --- /dev/null +++ b/aws-iam-policies/restricted-policy-managedARN-1.json5 @@ -0,0 +1,163 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ResourceTag", + "Effect": "Allow", + "Action": [ + "acm:DeleteCertificate", + "autoscaling:SuspendProcesses", + "autoscaling:UpdateAutoScalingGroup", + "cloudformation:DeleteStack", + "cloudformation:DescribeStackEvents", + "elasticfilesystem:PutFileSystemPolicy", + "rds:DeleteDBInstance", + "rds:DeleteDBSecurityGroup", + "rds:DeleteDBSubnetGroup", + "ec2:DeleteKeypair" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "RequestTag", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateAutoScalingGroup", + "cloudformation:CreateStack", + "eks:TagResource", + "elasticfilesystem:CreateFileSystem", + "kms:CreateGrant", + "kms:CreateKey", + "rds:AddTagsToResource", + "cloudformation:UpdateStack" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "AttachRole", + "Effect": "Allow", + "Action": "iam:AttachRolePolicy", + "Resource": [ + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ], + "Condition": { + "ForAnyValue:ArnEqualsIfExists": { + "iam:PolicyARN": [ + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", + "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy" + ] + } + } + }, + { + "Sid": "Role", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:CreateRole", + "iam:DeleteInstanceProfile", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", + "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", + "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" + ] + }, + { + "Sid": "gocode", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "ec2:DescribeKeyPairs", + "ec2:DescribeDhcpOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "autoscaling:DescribeAutoScalingGroups", + "iam:SimulatePrincipalPolicy", + "iam:ListAttachedRolePolicies", + "ec2:DescribeVpcAttribute", + "ec2:DescribeImages", + "ec2:CreateTags", + "ec2:CreateKeyPair" + ], + "Resource": "*" + }, + { + "Sid": "gocodeStack", + "Effect": "Allow", + "Action": [ + "cloudformation:DescribeStacks" + ], + "Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*" + }, + { + "Sid": "gocodeEKSCluster", + "Effect": "Allow", + "Action": [ + "eks:UpdateClusterConfig", + "eks:UpdateClusterVersion", + "eks:DescribeUpdate" + ], + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks" + }, + { + "Sid": "S3full", + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Sid": "S3PutGetObject", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", + "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" + ] + }, + { + "Sid": "UpgradeCfStack", + "Effect": "Allow", + "Action": [ + "cloudformation:GetTemplate", + "cloudformation:GetTemplateSummary", + "eks:ListUpdates", + "ec2:CreateLaunchTemplateVersion", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:DescribeScheduledActions", + "autoscaling:SetDesiredCapacity", + "ec2:DescribeInstances" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-managedARN-2.json5 b/aws-iam-policies/restricted-policy-managedARN-2.json5 new file mode 100644 index 0000000..505be73 --- /dev/null +++ b/aws-iam-policies/restricted-policy-managedARN-2.json5 @@ -0,0 +1,182 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "cloudformation", + "Effect": "Allow", + "Action": [ + "acm:AddTagsToCertificate", + "acm:DescribeCertificate", + "acm:RequestCertificate", + "autoscaling:DescribeScalingActivities", + "ec2:CreateLaunchTemplate", + "ec2:CreatePlacementGroup", + "ec2:CreateSecurityGroup", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribePlacementGroups", + "ec2:DescribeSecurityGroups", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:DeleteLaunchTemplate", + "ec2:DeletePlacementGroup", + "elasticfilesystem:DescribeMountTargets", + "elasticfilesystem:DescribeFileSystems" + ], + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFResourceTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "autoscaling:DeleteAutoScalingGroup", + "ec2:DeleteSecurityGroup", + "eks:DeleteCluster" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFRequestTag", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:TagResource", + "logs:CreateLogGroup" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" + } + } + }, + { + "Sid": "CFDatabase", + "Resource": [ + "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", + "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" + ], + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:DescribeDBInstances", + "rds:CreateDBSubnetGroup", + "rds:DescribeDBSubnetGroups", + "rds:ListTagsForResource" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFEksCluster", + "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", + "Effect": "Allow", + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFCloudwatch", + "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:PutRetentionPolicy" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFKeys", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "kms:CreateAlias", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ScheduleKeyDeletion" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + }, + { + "Sid": "CFFileSystem", + "Resource": "*", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:CreateMountTarget", + "elasticfilesystem:DeleteFileSystem", + "elasticfilesystem:DeleteMountTarget" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + }, + "StringLike": { + "aws:ResourceTag/clusterId": "env-*" + } + } + }, + { + "Sid": "AllowSsmParams", + "Effect": "Allow", + "Action": [ + "ssm:DescribeParameters", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:GetParametersByPath" + ], + "Resource": [ + "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + } + ] +} \ No newline at end of file diff --git a/main.py b/main.py new file mode 100644 index 0000000..48cc517 --- /dev/null +++ b/main.py @@ -0,0 +1,22 @@ +import json5 +import json +import sys +import os +args = sys.argv[1:] +files = os.listdir("aws-iam-policies/docs") +for file in files: + print(file) + myfile = 'aws-iam-policies/docs/' + file + with open(myfile, "r+") as resultsFile: + jsonData = json5.load(resultsFile) + writeRestrictedfile = 'aws-iam-policies/' + file.replace('-doc', '') + with open(writeRestrictedfile, 'w') as f: + json.dump(jsonData, f, indent=4) + writeRestrictedManagedArnfile = 'aws-iam-policies/' + file.replace('-doc', '-managedARN') + with open(writeRestrictedManagedArnfile, 'w') as managedArn: + for sid in jsonData['Statement']: + actionsList = sid['Action'] + if 'iam:PutRolePolicy' in actionsList: + actionsList.remove('iam:PutRolePolicy') + break + json.dump(jsonData, managedArn, indent=4) \ No newline at end of file