diff --git a/AccesoAmazonDynamoDBatributo.json b/AccesoAmazonDynamoDBatributo.json new file mode 100644 index 0000000..61a6c3b --- /dev/null +++ b/AccesoAmazonDynamoDBatributo.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetItem", + "dynamodb:BatchGetItem", + "dynamodb:Query", + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:BatchWriteItem" + ], + "Resource": ["arn:aws:dynamodb:*:*:table/table-name"], + "Condition": { + "ForAllValues:StringEquals": { + "dynamodb:Attributes": [ + "column-name-1", + "column-name-2", + "column-name-3" + ] + }, + "StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"} + } + } + ] +} diff --git a/AccesoAmazonDynamoDBidCognito.json b/AccesoAmazonDynamoDBidCognito.json new file mode 100644 index 0000000..4a60451 --- /dev/null +++ b/AccesoAmazonDynamoDBidCognito.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:UpdateItem" + ], + "Resource": ["arn:aws:dynamodb:*:*:table/MyTable"], + "Condition": { + "ForAllValues:StringEquals": { + "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] + } + } + } + ] +} diff --git a/AccesoAmazonDynamoDBtabla.json b/AccesoAmazonDynamoDBtabla.json new file mode 100644 index 0000000..79fa394 --- /dev/null +++ b/AccesoAmazonDynamoDBtabla.json @@ -0,0 +1,34 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListAndDescribe", + "Effect": "Allow", + "Action": [ + "dynamodb:List*", + "dynamodb:DescribeReservedCapacity*", + "dynamodb:DescribeLimits", + "dynamodb:DescribeTimeToLive" + ], + "Resource": "*" + }, + { + "Sid": "SpecificTable", + "Effect": "Allow", + "Action": [ + "dynamodb:BatchGet*", + "dynamodb:DescribeStream", + "dynamodb:DescribeTable", + "dynamodb:Get*", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:BatchWrite*", + "dynamodb:CreateTable", + "dynamodb:Delete*", + "dynamodb:Update*", + "dynamodb:PutItem" + ], + "Resource": "arn:aws:dynamodb:*:*:table/MyTable" + } + ] +} diff --git a/AccesoConcretoMFAfecha.json b/AccesoConcretoMFAfecha.json new file mode 100644 index 0000000..cc0fdd4 --- /dev/null +++ b/AccesoConcretoMFAfecha.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "service-prefix-1:*", + "service-prefix-2:action-name-a", + "service-prefix-2:action-name-b" + ], + "Resource": "*", + "Condition": { + "Bool": {"aws:MultiFactorAuthPresent": true}, + "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, + "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} + } + } +} diff --git a/HabilitarDeshaAZ.json b/HabilitarDeshaAZ.json new file mode 100644 index 0000000..57bc4eb --- /dev/null +++ b/HabilitarDeshaAZ.json @@ -0,0 +1,26 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EnableDisableHongKong", + "Effect": "Allow", + "Action": [ + "account:EnableRegion", + "account:DisableRegion" + ], + "Resource": "*", + "Condition": { + "StringEquals": {"account:TargetRegion": "ap-east-1"} + } + }, + { + "Sid": "ViewConsole", + "Effect": "Allow", + "Action": [ + "aws-portal:ViewAccount", + "account:ListRegions" + ], + "Resource": "*" + } + ] +} diff --git a/IAMporMFAMySecurityCredentials.json b/IAMporMFAMySecurityCredentials.json new file mode 100644 index 0000000..5cb4332 --- /dev/null +++ b/IAMporMFAMySecurityCredentials.json @@ -0,0 +1,108 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowViewAccountInfo", + "Effect": "Allow", + "Action": [ + "iam:GetAccountPasswordPolicy", + "iam:ListVirtualMFADevices" + ], + "Resource": "*" + }, + { + "Sid": "AllowManageOwnPasswords", + "Effect": "Allow", + "Action": [ + "iam:ChangePassword", + "iam:GetUser" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnAccessKeys", + "Effect": "Allow", + "Action": [ + "iam:CreateAccessKey", + "iam:DeleteAccessKey", + "iam:ListAccessKeys", + "iam:UpdateAccessKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnSigningCertificates", + "Effect": "Allow", + "Action": [ + "iam:DeleteSigningCertificate", + "iam:ListSigningCertificates", + "iam:UpdateSigningCertificate", + "iam:UploadSigningCertificate" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnSSHPublicKeys", + "Effect": "Allow", + "Action": [ + "iam:DeleteSSHPublicKey", + "iam:GetSSHPublicKey", + "iam:ListSSHPublicKeys", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnGitCredentials", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceSpecificCredential", + "iam:DeleteServiceSpecificCredential", + "iam:ListServiceSpecificCredentials", + "iam:ResetServiceSpecificCredential", + "iam:UpdateServiceSpecificCredential" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnVirtualMFADevice", + "Effect": "Allow", + "Action": [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice" + ], + "Resource": "arn:aws:iam::*:mfa/${aws:username}" + }, + { + "Sid": "AllowManageOwnUserMFA", + "Effect": "Allow", + "Action": [ + "iam:DeactivateMFADevice", + "iam:EnableMFADevice", + "iam:ListMFADevices", + "iam:ResyncMFADevice" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "DenyAllExceptListedIfNoMFA", + "Effect": "Deny", + "NotAction": [ + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" + ], + "Resource": "*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + ] +} diff --git a/README.md b/README.md index e7b0ea4..e6cef46 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ En este repositorio guardo ejemplos de polĂ­ticas AWS +Referencias: https://docs.aws.amazon.com/es_es/IAM/latest/UserGuide/access_policies_examples.html diff --git a/denegarAccesoS3noCuentaMenosAWSdataExchange.json b/denegarAccesoS3noCuentaMenosAWSdataExchange.json new file mode 100644 index 0000000..10a4977 --- /dev/null +++ b/denegarAccesoS3noCuentaMenosAWSdataExchange.json @@ -0,0 +1,44 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAwsReourcesOutsideAccountExceptAmazonS3", + "Effect": "Deny", + "NotAction": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + } + } + }, + { + "Sid": "DenyAllS3ResourcesOutsideAccountExceptDataExchange", + "Effect": "Deny", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + }, + "ForAllValues:StringNotEquals": { + "aws:CalledVia": [ + "dataexchange.amazonaws.com" + ] + } + } + } + ] +} diff --git a/denegarAmazonSNSmenosCloudFormation.json b/denegarAmazonSNSmenosCloudFormation.json new file mode 100644 index 0000000..2d3387a --- /dev/null +++ b/denegarAmazonSNSmenosCloudFormation.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAwsResourcesOutsideAccountExceptSNS", + "Effect": "Deny", + "NotAction": [ + "sns:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + } + } + }, + { + "Sid": "DenyAllSNSResourcesOutsideAccountExceptCloudFormation", + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + }, + "ForAllValues:StringNotEquals": { + "aws:CalledVia": [ + "cloudformation.amazonaws.com" + ] + } + } + } + ] +} diff --git a/denegarDataPipelineNoUser.json b/denegarDataPipelineNoUser.json new file mode 100644 index 0000000..f91e4da --- /dev/null +++ b/denegarDataPipelineNoUser.json @@ -0,0 +1,31 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ExplicitDenyIfNotTheOwner", + "Effect": "Deny", + "Action": [ + "datapipeline:ActivatePipeline", + "datapipeline:AddTags", + "datapipeline:DeactivatePipeline", + "datapipeline:DeletePipeline", + "datapipeline:DescribeObjects", + "datapipeline:EvaluateExpression", + "datapipeline:GetPipelineDefinition", + "datapipeline:PollForTask", + "datapipeline:PutPipelineDefinition", + "datapipeline:QueryObjects", + "datapipeline:RemoveTags", + "datapipeline:ReportTaskProgress", + "datapipeline:ReportTaskRunnerHeartbeat", + "datapipeline:SetStatus", + "datapipeline:SetTaskStatus", + "datapipeline:ValidatePipelineDefinition" + ], + "Resource": ["*"], + "Condition": { + "StringNotEquals": {"datapipeline:PipelineCreator": "${aws:userid}"} + } + } + ] +}