manuelver/EjemplosPoliticasAWS
manuelver/EjemplosPoliticasAWS
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Politicas RDS S3 Lambda

Browse Source
This commit is contained in:
vergman2 2022-09-01 02:23:51 +02:00
parent 8ca5392426
commit 901c4c6ab3
11 changed files with 387 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
RDS/permiteAccesoBBDDenAZ.json Normal file
View File

@ -0,0 +1,15 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:*",
"Resource": ["arn:aws:rds:region:*:*"]
},
{
"Effect": "Allow",
"Action": ["rds:Describe*"],
"Resource": ["*"]
}
]
}

94
RDS/permitePropietariosEtiquetasAccesoRecursos.json Normal file
View File

@ -0,0 +1,94 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:List*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"rds:DeleteDBInstance",
"rds:RebootDBInstance",
"rds:ModifyDBInstance"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:db-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyOptionGroup",
"rds:DeleteOptionGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:og-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:pg-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress",
"rds:DeleteDBSecurityGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:secgrp-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:DeleteDBSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:snapshot-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyDBSubnetGroup",
"rds:DeleteDBSubnetGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:subgrp-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyEventSubscription",
"rds:AddSourceIdentifierToSubscription",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:DeleteEventSubscription"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:es-tag/Owner": "${aws:username}"}
}
}
]
}

24
RDS/permiteRestaurarBBDD.json Normal file
View File

@ -0,0 +1,24 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"rds:CreateDBParameterGroup",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:List*",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyOptionGroup",
"rds:RebootDBInstance",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:RestoreDBInstanceToPointInTime"
],
"Resource": "*"
}
]
}

44
S3/accesoBucketEnProduccionSoloConMFA.json Normal file
View File

@ -0,0 +1,44 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAllS3Buckets",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowBucketLevelActions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowBucketObjectActions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "RequireMFAForProductionBucket",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Production/*",
"arn:aws:s3:::Production"
],
"Condition": {
"NumericGreaterThanIfExists": {"aws:MultiFactorAuthAge": "1800"}
}
}
]
}

17
S3/permiteAccesoLecturaEscrituraObjetos.json Normal file
View File

@ -0,0 +1,17 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}

30
S3/permiteAccesoLecturaEscrituraObjetosConsola.json Normal file
View File

@ -0,0 +1,30 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}

32
S3/permiteUsuariosCognitoAccesoObjetosSuBucket.json Normal file
View File

@ -0,0 +1,32 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListYourObjects",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Sid": "ReadWriteDeleteYourObjects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}

35
S3/permiteUsuariosFederadosAccesoDirectorioPrincipal.json Normal file
View File

@ -0,0 +1,35 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:userid}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:userid}",
"arn:aws:s3:::bucket-name/home/${aws:userid}/*"
]
}
]
}

35
S3/permiteUsuariosIAMAccesoDirectorioPrincipal.json Normal file
View File

@ -0,0 +1,35 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:username}",
"arn:aws:s3:::bucket-name/home/${aws:username}/*"
]
}
]
}

21
S3/restringirAdminBucketConcreto.json Normal file
View File

@ -0,0 +1,21 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Deny",
"NotAction": "s3:*",
"NotResource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}

40
lambda/permiteFuncionLambdaAccederTablaDynamoDB.json Normal file
View File

@ -0,0 +1,40 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWriteTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/SampleTable"
},
{
"Sid": "GetStreamRecords",
"Effect": "Allow",
"Action": "dynamodb:GetRecords",
"Resource": "arn:aws:dynamodb:*:*:table/SampleTable/stream/* "
},
{
"Sid": "WriteLogStreamsAndGroups",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "CreateLogGroup",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "*"
}
]
}