diff --git a/IAM/AccesoAPIsimuladorPoliticasRutaUsuario.json b/IAM/AccesoAPIsimuladorPoliticasRutaUsuario.json new file mode 100644 index 0000000..b972821 --- /dev/null +++ b/IAM/AccesoAPIsimuladorPoliticasRutaUsuario.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:GetContextKeysForPrincipalPolicy", + "iam:SimulatePrincipalPolicy" + ], + "Effect": "Allow", + "Resource": "arn:aws:iam::*:user/Department/Development/*" + } + ] +} diff --git a/IAM/AsumirFuncionesEtiqueta.json b/IAM/AsumirFuncionesEtiqueta.json new file mode 100644 index 0000000..fd07444 --- /dev/null +++ b/IAM/AsumirFuncionesEtiqueta.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AssumeTaggedRole", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "*", + "Condition": { + "StringEquals": {"iam:ResourceTag/Project": "ExampleCorpABC"} + } + } + ] +} diff --git a/IAM/accesoAPIsimuladorPoliticas.json b/IAM/accesoAPIsimuladorPoliticas.json new file mode 100644 index 0000000..a1b9432 --- /dev/null +++ b/IAM/accesoAPIsimuladorPoliticas.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:GetContextKeysForCustomPolicy", + "iam:GetContextKeysForPrincipalPolicy", + "iam:SimulateCustomPolicy", + "iam:SimulatePrincipalPolicy" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} diff --git a/IAM/accesoConsolasSimuladorPoliticas.json b/IAM/accesoConsolasSimuladorPoliticas.json new file mode 100644 index 0000000..9bc17f4 --- /dev/null +++ b/IAM/accesoConsolasSimuladorPoliticas.json @@ -0,0 +1,29 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:GetGroup", + "iam:GetGroupPolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ListAttachedGroupPolicies", + "iam:ListAttachedRolePolicies", + "iam:ListAttachedUserPolicies", + "iam:ListGroups", + "iam:ListGroupPolicies", + "iam:ListGroupsForUser", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUsers" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} diff --git a/IAM/adminEtiqueta.json b/IAM/adminEtiqueta.json new file mode 100644 index 0000000..d8d42fd --- /dev/null +++ b/IAM/adminEtiqueta.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:TagUser", + "iam:TagRole", + "iam:UntagUser", + "iam:UntagRole" + + ], + "Resource": "*", + "Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}} + } +} diff --git a/IAM/agregarEtiquetaUsuarioConEtiqueta.json b/IAM/agregarEtiquetaUsuarioConEtiqueta.json new file mode 100644 index 0000000..c023471 --- /dev/null +++ b/IAM/agregarEtiquetaUsuarioConEtiqueta.json @@ -0,0 +1,30 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListTagsForAllUsers", + "Effect": "Allow", + "Action": [ + "iam:ListUserTags", + "iam:ListUsers" + ], + "Resource": "*" + }, + { + "Sid": "TagManagerWithSpecificDepartment", + "Effect": "Allow", + "Action": "iam:TagUser", + "Resource": "*", + "Condition": {"StringEquals": { + "iam:ResourceTag/JobFunction": "Manager", + "aws:RequestTag/Department": [ + "Marketing", + "Development", + "QualityAssurance" + ] + }, + "ForAllValues:StringEquals": {"aws:TagKeys": "Department"} + } + } + ] +} diff --git a/IAM/agregarEtiquetaUsuarioConValores.json b/IAM/agregarEtiquetaUsuarioConValores.json new file mode 100644 index 0000000..0c3b08f --- /dev/null +++ b/IAM/agregarEtiquetaUsuarioConValores.json @@ -0,0 +1,36 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ConsoleDisplay", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:GetUser", + "iam:ListRoles", + "iam:ListRoleTags", + "iam:ListUsers", + "iam:ListUserTags" + ], + "Resource": "*" + }, + { + "Sid": "AddTag", + "Effect": "Allow", + "Action": [ + "iam:TagUser", + "iam:TagRole" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/CostCenter": [ + "A-123", + "B-456" + ] + }, + "ForAllValues:StringEquals": {"aws:TagKeys": "CostCenter"} + } + } + ] +} diff --git a/IAM/crearUsuariosConEtiquetas.json b/IAM/crearUsuariosConEtiquetas.json new file mode 100644 index 0000000..d2abc3c --- /dev/null +++ b/IAM/crearUsuariosConEtiquetas.json @@ -0,0 +1,29 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "TagUsersWithOnlyTheseTags", + "Effect": "Allow", + "Action": [ + "iam:CreateUser", + "iam:TagUser" + ], + "Resource": "*", + "Condition": { + "StringEqualsIfExists": { + "aws:RequestTag/Department": [ + "Development", + "QualityAssurance" + ], + "aws:RequestTag/JobFunction": "Employee" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Department", + "JobFunction" + ] + } + } + } + ] +} diff --git a/IAM/denegarAccesoRecursosFueraDeCuentaExceptoPoliticasIAM.json b/IAM/denegarAccesoRecursosFueraDeCuentaExceptoPoliticasIAM.json new file mode 100644 index 0000000..5c859b8 --- /dev/null +++ b/IAM/denegarAccesoRecursosFueraDeCuentaExceptoPoliticasIAM.json @@ -0,0 +1,22 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAccessToResourcesInSpecificAccountsAndSpecificService1", + "Effect": "Deny", + "NotAction":[ + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:ListEntitiesForPolicy", + "iam:ListPolicies" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + }, + } + } +} diff --git a/IAM/generarRecuperarInformesCredenciales.json b/IAM/generarRecuperarInformesCredenciales.json new file mode 100644 index 0000000..1f1ef48 --- /dev/null +++ b/IAM/generarRecuperarInformesCredenciales.json @@ -0,0 +1,11 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:GenerateCredentialReport", + "iam:GetCredentialReport" + ], + "Resource": "*" + } +} diff --git a/IAM/limitarPoliticasAplicarUsuario.json b/IAM/limitarPoliticasAplicarUsuario.json new file mode 100644 index 0000000..f22c257 --- /dev/null +++ b/IAM/limitarPoliticasAplicarUsuario.json @@ -0,0 +1,19 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:AttachUserPolicy", + "iam:DetachUserPolicy" + ], + "Resource": "*", + "Condition": { + "ArnEquals": { + "iam:PolicyARN": [ + "arn:aws:iam::*:policy/policy-name-1", + "arn:aws:iam::*:policy/policy-name-2" + ] + } + } + } +} diff --git a/IAM/pasarFuncionIAMaServicio.json b/IAM/pasarFuncionIAMaServicio.json new file mode 100644 index 0000000..30e7bd5 --- /dev/null +++ b/IAM/pasarFuncionIAMaServicio.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*", + "Condition": { + "StringEquals": {"iam:PassedToService": "cloudwatch.amazonaws.com"} + } + } + ] +} diff --git a/IAM/permiteAccesoLecturaConsolaIAMconInformes.json b/IAM/permiteAccesoLecturaConsolaIAMconInformes.json new file mode 100644 index 0000000..c3f7dde --- /dev/null +++ b/IAM/permiteAccesoLecturaConsolaIAMconInformes.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:Get*", + "iam:List*", + "iam:Generate*" + ], + "Resource": "*" + } +} diff --git a/IAM/permiteAccesoLecturaConsolaIAMsinInformes.json b/IAM/permiteAccesoLecturaConsolaIAMsinInformes.json new file mode 100644 index 0000000..94d85b4 --- /dev/null +++ b/IAM/permiteAccesoLecturaConsolaIAMsinInformes.json @@ -0,0 +1,11 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:Get*", + "iam:List*" + ], + "Resource": "*" + } +} diff --git a/IAM/permiteAccesoSimuladorPoliticasRutaAcceso.json b/IAM/permiteAccesoSimuladorPoliticasRutaAcceso.json new file mode 100644 index 0000000..719657c --- /dev/null +++ b/IAM/permiteAccesoSimuladorPoliticasRutaAcceso.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:GetPolicy", + "iam:GetUserPolicy" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "iam:GetUser", + "iam:ListAttachedUserPolicies", + "iam:ListGroupsForUser", + "iam:ListUserPolicies", + "iam:ListUsers" + ], + "Effect": "Allow", + "Resource": "arn:aws:iam::*:user/Department/Development/*" + } + ] +} diff --git a/IAM/permiteAdminPertenenciaGrupo.json b/IAM/permiteAdminPertenenciaGrupo.json new file mode 100644 index 0000000..1f9f50e --- /dev/null +++ b/IAM/permiteAdminPertenenciaGrupo.json @@ -0,0 +1,26 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ViewGroups", + "Effect": "Allow", + "Action": [ + "iam:ListGroups", + "iam:ListUsers", + "iam:GetUser", + "iam:ListGroupsForUser" + ], + "Resource": "*" + }, + { + "Sid": "ViewEditThisGroup", + "Effect": "Allow", + "Action": [ + "iam:AddUserToGroup", + "iam:RemoveUserFromGroup", + "iam:GetGroup" + ], + "Resource": "arn:aws:iam::*:group/MarketingTeam" + } + ] +} diff --git a/IAM/permiteRequisitosPassword.json b/IAM/permiteRequisitosPassword.json new file mode 100644 index 0000000..eadd6d2 --- /dev/null +++ b/IAM/permiteRequisitosPassword.json @@ -0,0 +1,11 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "iam:GetAccountPasswordPolicy", + "iam:UpdateAccountPasswordPolicy" + ], + "Resource": "*" + } +} diff --git a/IAM/permiteUsuariosAdminGrupo.json b/IAM/permiteUsuariosAdminGrupo.json new file mode 100644 index 0000000..3cb82c5 --- /dev/null +++ b/IAM/permiteUsuariosAdminGrupo.json @@ -0,0 +1,42 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAllUsersToListAllGroups", + "Effect": "Allow", + "Action": "iam:ListGroups", + "Resource": "*" + }, + { + "Sid": "AllowAllUsersToViewAndManageThisGroup", + "Effect": "Allow", + "Action": "iam:*Group*", + "Resource": "arn:aws:iam::*:group/AllUsers" + }, + { + "Sid": "LimitGroupManagementAccessToSpecificUsers", + "Effect": "Deny", + "Action": [ + "iam:AddUserToGroup", + "iam:CreateGroup", + "iam:RemoveUserFromGroup", + "iam:DeleteGroup", + "iam:AttachGroupPolicy", + "iam:UpdateGroup", + "iam:DetachGroupPolicy", + "iam:DeleteGroupPolicy", + "iam:PutGroupPolicy" + ], + "Resource": "arn:aws:iam::*:group/AllUsers", + "Condition": { + "StringNotEquals": { + "aws:username": [ + "srodriguez", + "mjackson", + "adesai" + ] + } + } + } + ] +} diff --git a/IAM/permiteUsuariosAdminMFA.json b/IAM/permiteUsuariosAdminMFA.json new file mode 100644 index 0000000..9016faf --- /dev/null +++ b/IAM/permiteUsuariosAdminMFA.json @@ -0,0 +1,73 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowListActions", + "Effect": "Allow", + "Action": [ + "iam:ListUsers", + "iam:ListVirtualMFADevices" + ], + "Resource": "*" + }, + { + "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA", + "Effect": "Allow", + "Action": [ + "iam:ListMFADevices" + ], + "Resource": [ + "arn:aws:iam::*:mfa/*", + "arn:aws:iam::*:user/${aws:username}" + ] + }, + { + "Sid": "AllowIndividualUserToManageTheirOwnMFA", + "Effect": "Allow", + "Action": [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:EnableMFADevice", + "iam:ResyncMFADevice" + ], + "Resource": [ + "arn:aws:iam::*:mfa/${aws:username}", + "arn:aws:iam::*:user/${aws:username}" + ] + }, + { + "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA", + "Effect": "Allow", + "Action": [ + "iam:DeactivateMFADevice" + ], + "Resource": [ + "arn:aws:iam::*:mfa/${aws:username}", + "arn:aws:iam::*:user/${aws:username}" + ], + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "true" + } + } + }, + { + "Sid": "BlockMostAccessUnlessSignedInWithMFA", + "Effect": "Deny", + "NotAction": [ + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:ListMFADevices", + "iam:ListUsers", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice" + ], + "Resource": "*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + ] +} diff --git a/IAM/permiteUsuariosCambiarCredenciales.json b/IAM/permiteUsuariosCambiarCredenciales.json new file mode 100644 index 0000000..81e5ea6 --- /dev/null +++ b/IAM/permiteUsuariosCambiarCredenciales.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:ListUsers", + "iam:GetAccountPasswordPolicy" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:*AccessKey*", + "iam:ChangePassword", + "iam:GetUser", + "iam:*ServiceSpecificCredential*", + "iam:*SigningCertificate*" + ], + "Resource": ["arn:aws:iam::*:user/${aws:username}"] + } + ] +} diff --git a/IAM/permitirDenegarAccesoServicios.json b/IAM/permitirDenegarAccesoServicios.json new file mode 100644 index 0000000..afe406f --- /dev/null +++ b/IAM/permitirDenegarAccesoServicios.json @@ -0,0 +1,50 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowServices", + "Effect": "Allow", + "Action": [ + "s3:*", + "cloudwatch:*", + "ec2:*" + ], + "Resource": "*" + }, + { + "Sid": "AllowIAMConsoleForCredentials", + "Effect": "Allow", + "Action": [ + "iam:ListUsers", + "iam:GetAccountPasswordPolicy" + ], + "Resource": "*" + }, + { + "Sid": "AllowManageOwnPasswordAndAccessKeys", + "Effect": "Allow", + "Action": [ + "iam:*AccessKey*", + "iam:ChangePassword", + "iam:GetUser", + "iam:*LoginProfile*" + ], + "Resource": ["arn:aws:iam::*:user/${aws:username}"] + }, + { + "Sid": "DenyS3Logs", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::logs", + "arn:aws:s3:::logs/*" + ] + }, + { + "Sid": "DenyEC2Production", + "Effect": "Deny", + "Action": "ec2:*", + "Resource": "arn:aws:ec2:*:*:instance/i-1234567890abcdef0" + } + ] +} diff --git a/IAM/verUltimoAccesoServicio.json b/IAM/verUltimoAccesoServicio.json new file mode 100644 index 0000000..b13cae1 --- /dev/null +++ b/IAM/verUltimoAccesoServicio.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowOrgsReadOnlyAndIamGetReport", + "Effect": "Allow", + "Action": [ + "iam:GetOrganizationsAccessReport", + "organizations:Describe*", + "organizations:List*" + ], + "Resource": "*" + }, + { + "Sid": "AllowGenerateReportOnlyForThePolicy", + "Effect": "Allow", + "Action": "iam:GenerateOrganizationsAccessReport", + "Resource": "*", + "Condition": { + "StringEquals": {"iam:OrganizationsPolicyId": "p-policy123"} + } + } + ] +}