From b6f91affe01084ca90628ab9c373fdd17c2a5f97 Mon Sep 17 00:00:00 2001 From: vergman2 Date: Wed, 31 Aug 2022 14:22:42 +0200 Subject: [PATCH] Primeras politicas --- AccesoAmazonDynamoDBatributo.json | 28 +++++ AccesoAmazonDynamoDBidCognito.json | 21 ++++ AccesoAmazonDynamoDBtabla.json | 34 ++++++ AccesoConcretoMFAfecha.json | 17 +++ HabilitarDeshaAZ.json | 26 +++++ IAMporMFAMySecurityCredentials.json | 108 ++++++++++++++++++ README.md | 1 + ...rAccesoS3noCuentaMenosAWSdataExchange.json | 44 +++++++ denegarAmazonSNSmenosCloudFormation.json | 40 +++++++ denegarDataPipelineNoUser.json | 31 +++++ 10 files changed, 350 insertions(+) create mode 100644 AccesoAmazonDynamoDBatributo.json create mode 100644 AccesoAmazonDynamoDBidCognito.json create mode 100644 AccesoAmazonDynamoDBtabla.json create mode 100644 AccesoConcretoMFAfecha.json create mode 100644 HabilitarDeshaAZ.json create mode 100644 IAMporMFAMySecurityCredentials.json create mode 100644 denegarAccesoS3noCuentaMenosAWSdataExchange.json create mode 100644 denegarAmazonSNSmenosCloudFormation.json create mode 100644 denegarDataPipelineNoUser.json diff --git a/AccesoAmazonDynamoDBatributo.json b/AccesoAmazonDynamoDBatributo.json new file mode 100644 index 0000000..61a6c3b --- /dev/null +++ b/AccesoAmazonDynamoDBatributo.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetItem", + "dynamodb:BatchGetItem", + "dynamodb:Query", + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:BatchWriteItem" + ], + "Resource": ["arn:aws:dynamodb:*:*:table/table-name"], + "Condition": { + "ForAllValues:StringEquals": { + "dynamodb:Attributes": [ + "column-name-1", + "column-name-2", + "column-name-3" + ] + }, + "StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"} + } + } + ] +} diff --git a/AccesoAmazonDynamoDBidCognito.json b/AccesoAmazonDynamoDBidCognito.json new file mode 100644 index 0000000..4a60451 --- /dev/null +++ b/AccesoAmazonDynamoDBidCognito.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:UpdateItem" + ], + "Resource": ["arn:aws:dynamodb:*:*:table/MyTable"], + "Condition": { + "ForAllValues:StringEquals": { + "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] + } + } + } + ] +} diff --git a/AccesoAmazonDynamoDBtabla.json b/AccesoAmazonDynamoDBtabla.json new file mode 100644 index 0000000..79fa394 --- /dev/null +++ b/AccesoAmazonDynamoDBtabla.json @@ -0,0 +1,34 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListAndDescribe", + "Effect": "Allow", + "Action": [ + "dynamodb:List*", + "dynamodb:DescribeReservedCapacity*", + "dynamodb:DescribeLimits", + "dynamodb:DescribeTimeToLive" + ], + "Resource": "*" + }, + { + "Sid": "SpecificTable", + "Effect": "Allow", + "Action": [ + "dynamodb:BatchGet*", + "dynamodb:DescribeStream", + "dynamodb:DescribeTable", + "dynamodb:Get*", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:BatchWrite*", + "dynamodb:CreateTable", + "dynamodb:Delete*", + "dynamodb:Update*", + "dynamodb:PutItem" + ], + "Resource": "arn:aws:dynamodb:*:*:table/MyTable" + } + ] +} diff --git a/AccesoConcretoMFAfecha.json b/AccesoConcretoMFAfecha.json new file mode 100644 index 0000000..cc0fdd4 --- /dev/null +++ b/AccesoConcretoMFAfecha.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "service-prefix-1:*", + "service-prefix-2:action-name-a", + "service-prefix-2:action-name-b" + ], + "Resource": "*", + "Condition": { + "Bool": {"aws:MultiFactorAuthPresent": true}, + "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, + "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} + } + } +} diff --git a/HabilitarDeshaAZ.json b/HabilitarDeshaAZ.json new file mode 100644 index 0000000..57bc4eb --- /dev/null +++ b/HabilitarDeshaAZ.json @@ -0,0 +1,26 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EnableDisableHongKong", + "Effect": "Allow", + "Action": [ + "account:EnableRegion", + "account:DisableRegion" + ], + "Resource": "*", + "Condition": { + "StringEquals": {"account:TargetRegion": "ap-east-1"} + } + }, + { + "Sid": "ViewConsole", + "Effect": "Allow", + "Action": [ + "aws-portal:ViewAccount", + "account:ListRegions" + ], + "Resource": "*" + } + ] +} diff --git a/IAMporMFAMySecurityCredentials.json b/IAMporMFAMySecurityCredentials.json new file mode 100644 index 0000000..5cb4332 --- /dev/null +++ b/IAMporMFAMySecurityCredentials.json @@ -0,0 +1,108 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowViewAccountInfo", + "Effect": "Allow", + "Action": [ + "iam:GetAccountPasswordPolicy", + "iam:ListVirtualMFADevices" + ], + "Resource": "*" + }, + { + "Sid": "AllowManageOwnPasswords", + "Effect": "Allow", + "Action": [ + "iam:ChangePassword", + "iam:GetUser" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnAccessKeys", + "Effect": "Allow", + "Action": [ + "iam:CreateAccessKey", + "iam:DeleteAccessKey", + "iam:ListAccessKeys", + "iam:UpdateAccessKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnSigningCertificates", + "Effect": "Allow", + "Action": [ + "iam:DeleteSigningCertificate", + "iam:ListSigningCertificates", + "iam:UpdateSigningCertificate", + "iam:UploadSigningCertificate" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnSSHPublicKeys", + "Effect": "Allow", + "Action": [ + "iam:DeleteSSHPublicKey", + "iam:GetSSHPublicKey", + "iam:ListSSHPublicKeys", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnGitCredentials", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceSpecificCredential", + "iam:DeleteServiceSpecificCredential", + "iam:ListServiceSpecificCredentials", + "iam:ResetServiceSpecificCredential", + "iam:UpdateServiceSpecificCredential" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "AllowManageOwnVirtualMFADevice", + "Effect": "Allow", + "Action": [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice" + ], + "Resource": "arn:aws:iam::*:mfa/${aws:username}" + }, + { + "Sid": "AllowManageOwnUserMFA", + "Effect": "Allow", + "Action": [ + "iam:DeactivateMFADevice", + "iam:EnableMFADevice", + "iam:ListMFADevices", + "iam:ResyncMFADevice" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "DenyAllExceptListedIfNoMFA", + "Effect": "Deny", + "NotAction": [ + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" + ], + "Resource": "*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + ] +} diff --git a/README.md b/README.md index e7b0ea4..e6cef46 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ En este repositorio guardo ejemplos de polĂ­ticas AWS +Referencias: https://docs.aws.amazon.com/es_es/IAM/latest/UserGuide/access_policies_examples.html diff --git a/denegarAccesoS3noCuentaMenosAWSdataExchange.json b/denegarAccesoS3noCuentaMenosAWSdataExchange.json new file mode 100644 index 0000000..10a4977 --- /dev/null +++ b/denegarAccesoS3noCuentaMenosAWSdataExchange.json @@ -0,0 +1,44 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAwsReourcesOutsideAccountExceptAmazonS3", + "Effect": "Deny", + "NotAction": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + } + } + }, + { + "Sid": "DenyAllS3ResourcesOutsideAccountExceptDataExchange", + "Effect": "Deny", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + }, + "ForAllValues:StringNotEquals": { + "aws:CalledVia": [ + "dataexchange.amazonaws.com" + ] + } + } + } + ] +} diff --git a/denegarAmazonSNSmenosCloudFormation.json b/denegarAmazonSNSmenosCloudFormation.json new file mode 100644 index 0000000..2d3387a --- /dev/null +++ b/denegarAmazonSNSmenosCloudFormation.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAwsResourcesOutsideAccountExceptSNS", + "Effect": "Deny", + "NotAction": [ + "sns:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + } + } + }, + { + "Sid": "DenyAllSNSResourcesOutsideAccountExceptCloudFormation", + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:ResourceAccount": [ + "111122223333" + ] + }, + "ForAllValues:StringNotEquals": { + "aws:CalledVia": [ + "cloudformation.amazonaws.com" + ] + } + } + } + ] +} diff --git a/denegarDataPipelineNoUser.json b/denegarDataPipelineNoUser.json new file mode 100644 index 0000000..f91e4da --- /dev/null +++ b/denegarDataPipelineNoUser.json @@ -0,0 +1,31 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ExplicitDenyIfNotTheOwner", + "Effect": "Deny", + "Action": [ + "datapipeline:ActivatePipeline", + "datapipeline:AddTags", + "datapipeline:DeactivatePipeline", + "datapipeline:DeletePipeline", + "datapipeline:DescribeObjects", + "datapipeline:EvaluateExpression", + "datapipeline:GetPipelineDefinition", + "datapipeline:PollForTask", + "datapipeline:PutPipelineDefinition", + "datapipeline:QueryObjects", + "datapipeline:RemoveTags", + "datapipeline:ReportTaskProgress", + "datapipeline:ReportTaskRunnerHeartbeat", + "datapipeline:SetStatus", + "datapipeline:SetTaskStatus", + "datapipeline:ValidatePipelineDefinition" + ], + "Resource": ["*"], + "Condition": { + "StringNotEquals": {"datapipeline:PipelineCreator": "${aws:userid}"} + } + } + ] +}