diff --git a/RDS/permiteAccesoBBDDenAZ.json b/RDS/permiteAccesoBBDDenAZ.json new file mode 100644 index 0000000..a91ab52 --- /dev/null +++ b/RDS/permiteAccesoBBDDenAZ.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "rds:*", + "Resource": ["arn:aws:rds:region:*:*"] + }, + { + "Effect": "Allow", + "Action": ["rds:Describe*"], + "Resource": ["*"] + } + ] +} diff --git a/RDS/permitePropietariosEtiquetasAccesoRecursos.json b/RDS/permitePropietariosEtiquetasAccesoRecursos.json new file mode 100644 index 0000000..bca331b --- /dev/null +++ b/RDS/permitePropietariosEtiquetasAccesoRecursos.json @@ -0,0 +1,94 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "rds:Describe*", + "rds:List*" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "rds:DeleteDBInstance", + "rds:RebootDBInstance", + "rds:ModifyDBInstance" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:db-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:ModifyOptionGroup", + "rds:DeleteOptionGroup" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:og-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:ModifyDBParameterGroup", + "rds:ResetDBParameterGroup" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:pg-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:AuthorizeDBSecurityGroupIngress", + "rds:RevokeDBSecurityGroupIngress", + "rds:DeleteDBSecurityGroup" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:secgrp-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:snapshot-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:ModifyDBSubnetGroup", + "rds:DeleteDBSubnetGroup" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:subgrp-tag/Owner": "${aws:username}"} + } + }, + { + "Action": [ + "rds:ModifyEventSubscription", + "rds:AddSourceIdentifierToSubscription", + "rds:RemoveSourceIdentifierFromSubscription", + "rds:DeleteEventSubscription" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "StringEqualsIgnoreCase": {"rds:es-tag/Owner": "${aws:username}"} + } + } + ] +} diff --git a/RDS/permiteRestaurarBBDD.json b/RDS/permiteRestaurarBBDD.json new file mode 100644 index 0000000..a6db26d --- /dev/null +++ b/RDS/permiteRestaurarBBDD.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "rds:CreateDBParameterGroup", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:Describe*", + "rds:DownloadDBLogFilePortion", + "rds:List*", + "rds:ModifyDBInstance", + "rds:ModifyDBParameterGroup", + "rds:ModifyOptionGroup", + "rds:RebootDBInstance", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:RestoreDBInstanceToPointInTime" + ], + "Resource": "*" + } + ] +} diff --git a/S3/accesoBucketEnProduccionSoloConMFA.json b/S3/accesoBucketEnProduccionSoloConMFA.json new file mode 100644 index 0000000..0464cfa --- /dev/null +++ b/S3/accesoBucketEnProduccionSoloConMFA.json @@ -0,0 +1,44 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListAllS3Buckets", + "Effect": "Allow", + "Action": ["s3:ListAllMyBuckets"], + "Resource": "arn:aws:s3:::*" + }, + { + "Sid": "AllowBucketLevelActions", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": "arn:aws:s3:::*" + }, + { + "Sid": "AllowBucketObjectActions", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetObject", + "s3:GetObjectAcl", + "s3:DeleteObject" + ], + "Resource": "arn:aws:s3:::*/*" + }, + { + "Sid": "RequireMFAForProductionBucket", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::Production/*", + "arn:aws:s3:::Production" + ], + "Condition": { + "NumericGreaterThanIfExists": {"aws:MultiFactorAuthAge": "1800"} + } + } + ] +} diff --git a/S3/permiteAccesoLecturaEscrituraObjetos.json b/S3/permiteAccesoLecturaEscrituraObjetos.json new file mode 100644 index 0000000..6828724 --- /dev/null +++ b/S3/permiteAccesoLecturaEscrituraObjetos.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListObjectsInBucket", + "Effect": "Allow", + "Action": ["s3:ListBucket"], + "Resource": ["arn:aws:s3:::bucket-name"] + }, + { + "Sid": "AllObjectActions", + "Effect": "Allow", + "Action": "s3:*Object", + "Resource": ["arn:aws:s3:::bucket-name/*"] + } + ] +} diff --git a/S3/permiteAccesoLecturaEscrituraObjetosConsola.json b/S3/permiteAccesoLecturaEscrituraObjetosConsola.json new file mode 100644 index 0000000..0b0fbce --- /dev/null +++ b/S3/permiteAccesoLecturaEscrituraObjetosConsola.json @@ -0,0 +1,30 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ConsoleAccess", + "Effect": "Allow", + "Action": [ + "s3:GetAccountPublicAccessBlock", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketPolicyStatus", + "s3:GetBucketPublicAccessBlock", + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, + { + "Sid": "ListObjectsInBucket", + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": ["arn:aws:s3:::bucket-name"] + }, + { + "Sid": "AllObjectActions", + "Effect": "Allow", + "Action": "s3:*Object", + "Resource": ["arn:aws:s3:::bucket-name/*"] + } + ] +} diff --git a/S3/permiteUsuariosCognitoAccesoObjetosSuBucket.json b/S3/permiteUsuariosCognitoAccesoObjetosSuBucket.json new file mode 100644 index 0000000..2c28e9e --- /dev/null +++ b/S3/permiteUsuariosCognitoAccesoObjetosSuBucket.json @@ -0,0 +1,32 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListYourObjects", + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": [ + "arn:aws:s3:::bucket-name" + ], + "Condition": { + "StringLike": { + "s3:prefix": [ + "cognito/application-name/${cognito-identity.amazonaws.com:sub}/*" + ] + } + } + }, + { + "Sid": "ReadWriteDeleteYourObjects", + "Effect": "Allow", + "Action": [ + "s3:DeleteObject", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*" + ] + } + ] +} diff --git a/S3/permiteUsuariosFederadosAccesoDirectorioPrincipal.json b/S3/permiteUsuariosFederadosAccesoDirectorioPrincipal.json new file mode 100644 index 0000000..a502c6b --- /dev/null +++ b/S3/permiteUsuariosFederadosAccesoDirectorioPrincipal.json @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::bucket-name", + "Condition": { + "StringLike": { + "s3:prefix": [ + "", + "home/", + "home/${aws:userid}/*" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::bucket-name/home/${aws:userid}", + "arn:aws:s3:::bucket-name/home/${aws:userid}/*" + ] + } + ] +} diff --git a/S3/permiteUsuariosIAMAccesoDirectorioPrincipal.json b/S3/permiteUsuariosIAMAccesoDirectorioPrincipal.json new file mode 100644 index 0000000..e98ca4a --- /dev/null +++ b/S3/permiteUsuariosIAMAccesoDirectorioPrincipal.json @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::bucket-name", + "Condition": { + "StringLike": { + "s3:prefix": [ + "", + "home/", + "home/${aws:username}/*" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::bucket-name/home/${aws:username}", + "arn:aws:s3:::bucket-name/home/${aws:username}/*" + ] + } + ] +} diff --git a/S3/restringirAdminBucketConcreto.json b/S3/restringirAdminBucketConcreto.json new file mode 100644 index 0000000..6c3a0b2 --- /dev/null +++ b/S3/restringirAdminBucketConcreto.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::bucket-name", + "arn:aws:s3:::bucket-name/*" + ] + }, + { + "Effect": "Deny", + "NotAction": "s3:*", + "NotResource": [ + "arn:aws:s3:::bucket-name", + "arn:aws:s3:::bucket-name/*" + ] + } + ] +} diff --git a/lambda/permiteFuncionLambdaAccederTablaDynamoDB.json b/lambda/permiteFuncionLambdaAccederTablaDynamoDB.json new file mode 100644 index 0000000..194ca48 --- /dev/null +++ b/lambda/permiteFuncionLambdaAccederTablaDynamoDB.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ReadWriteTable", + "Effect": "Allow", + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:GetItem", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:BatchWriteItem", + "dynamodb:PutItem", + "dynamodb:UpdateItem" + ], + "Resource": "arn:aws:dynamodb:*:*:table/SampleTable" + }, + { + "Sid": "GetStreamRecords", + "Effect": "Allow", + "Action": "dynamodb:GetRecords", + "Resource": "arn:aws:dynamodb:*:*:table/SampleTable/stream/* " + }, + { + "Sid": "WriteLogStreamsAndGroups", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + }, + { + "Sid": "CreateLogGroup", + "Effect": "Allow", + "Action": "logs:CreateLogGroup", + "Resource": "*" + } + ] +}