diff --git a/EC2/accesoEC2AZ.json b/EC2/accesoEC2AZ.json new file mode 100644 index 0000000..4af4d72 --- /dev/null +++ b/EC2/accesoEC2AZ.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "ec2:*", + "Resource": "*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "ec2:Region": "us-east-2" + } + } + } + ] +} diff --git a/EC2/adminGruposSeg.json b/EC2/adminGruposSeg.json new file mode 100644 index 0000000..6c997a3 --- /dev/null +++ b/EC2/adminGruposSeg.json @@ -0,0 +1,42 @@ +{ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroups", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:RevokeSecurityGroupEgress", + "ec2:ModifySecurityGroupRules", + "ec2:UpdateSecurityGroupRuleDescriptionsIngress", + "ec2:UpdateSecurityGroupRuleDescriptionsEgress" + ], + "Resource": [ + "arn:aws:ec2:region:111122223333:security-group/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/Department": "Test" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:ModifySecurityGroupRules" + ], + "Resource": [ + "arn:aws:ec2:region:111122223333:security-group-rule/*" + ] + } + ] +} diff --git a/EC2/asociarODisociarEBSetiquetas.json b/EC2/asociarODisociarEBSetiquetas.json new file mode 100644 index 0000000..72a3703 --- /dev/null +++ b/EC2/asociarODisociarEBSetiquetas.json @@ -0,0 +1,27 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource": "arn:aws:ec2:*:*:instance/*", + "Condition": { + "StringEquals": {"aws:ResourceTag/Department": "Development"} + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringEquals": {"aws:ResourceTag/VolumeUser": "${aws:username}"} + } + } + ] +} diff --git a/EC2/asociarODisociarVolumen.json b/EC2/asociarODisociarVolumen.json new file mode 100644 index 0000000..527d63b --- /dev/null +++ b/EC2/asociarODisociarVolumen.json @@ -0,0 +1,19 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:instance/*" + ], + "Condition": { + "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"} + } + } + ] +} diff --git a/EC2/iniciarDetenerEC2.json b/EC2/iniciarDetenerEC2.json new file mode 100644 index 0000000..343b89d --- /dev/null +++ b/EC2/iniciarDetenerEC2.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:StartInstances", + "ec2:StopInstances" + ], + "Resource": "arn:aws:ec2:*:*:instance/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Owner": "${aws:username}" + } + } + }, + { + "Effect": "Allow", + "Action": "ec2:DescribeInstances", + "Resource": "*" + } + ] +} diff --git a/EC2/iniciarDetenerEC2Etiquetas.json b/EC2/iniciarDetenerEC2Etiquetas.json new file mode 100644 index 0000000..296804c --- /dev/null +++ b/EC2/iniciarDetenerEC2Etiquetas.json @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "StartStopIfTags", + "Effect": "Allow", + "Action": [ + "ec2:StartInstances", + "ec2:StopInstances" + ], + "Resource": "arn:aws:ec2:region:account-id:instance/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Project": "DataAnalytics", + "aws:PrincipalTag/Department": "Data" + } + } + } + ] +} diff --git a/EC2/iniciarDetenerEC2EtiquetasYCoincidencias.json b/EC2/iniciarDetenerEC2EtiquetasYCoincidencias.json new file mode 100644 index 0000000..3e1602d --- /dev/null +++ b/EC2/iniciarDetenerEC2EtiquetasYCoincidencias.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "ec2:startInstances", + "ec2:stopInstances" + ], + "Resource": "*", + "Condition": {"StringEquals": + {"aws:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"}} + } +} diff --git a/EC2/iniciarDetenerEC2ModifGrupoSeg.json b/EC2/iniciarDetenerEC2ModifGrupoSeg.json new file mode 100644 index 0000000..6745a50 --- /dev/null +++ b/EC2/iniciarDetenerEC2ModifGrupoSeg.json @@ -0,0 +1,30 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSecurityGroupReferences", + "ec2:DescribeStaleSecurityGroups" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:StartInstances", + "ec2:StopInstances" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/i-instance-id", + "arn:aws:ec2:*:*:security-group/sg-security-group-id" + ], + "Effect": "Allow" + } + ] +} diff --git a/EC2/lanzarEC2SubredProgramaticaConsola.json b/EC2/lanzarEC2SubredProgramaticaConsola.json new file mode 100644 index 0000000..09e0f2e --- /dev/null +++ b/EC2/lanzarEC2SubredProgramaticaConsola.json @@ -0,0 +1,26 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "ec2:GetConsole*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": [ + "arn:aws:ec2:*:*:subnet/subnet-subnet-id", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*::image/ami-*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:security-group/*" + ] + } + ] +} diff --git a/EC2/limitEC2enRangoIP.json b/EC2/limitEC2enRangoIP.json new file mode 100644 index 0000000..cd22104 --- /dev/null +++ b/EC2/limitEC2enRangoIP.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["ec2:TerminateInstances"], + "Resource": ["*"] + }, + { + "Effect": "Deny", + "Action": ["ec2:TerminateInstances"], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": [ + "192.0.2.0/24", + "203.0.113.0/24" + ] + } + }, + "Resource": ["*"] + } + ] +} diff --git a/EC2/requerirMFAoperarEC2.json b/EC2/requerirMFAoperarEC2.json new file mode 100644 index 0000000..204212b --- /dev/null +++ b/EC2/requerirMFAoperarEC2.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAllActionsForEC2", + "Effect": "Allow", + "Action": "ec2:*", + "Resource": "*" + }, + { + "Sid": "DenyStopAndTerminateWhenMFAIsNotPresent", + "Effect": "Deny", + "Action": [ + "ec2:StopInstances", + "ec2:TerminateInstances" + ], + "Resource": "*", + "Condition": { + "BoolIfExists": {"aws:MultiFactorAuthPresent": false} + } + } + ] +}