SHARE
TWEET

IAM: limitar escalado de permisos para administradores IAM

Javi Oct 10th, 2019 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. {
  2.  "SSid" : "DenegarManipulacionDeBoundaries",
  3.  "Effect" : "Deny",
  4.  "Action" : [
  5.     "iam:PutRolePermissionsBoundary",
  6.     "iam:PutUserPermissionsBoundary",
  7.     "iam:DeleteRolePermissionsBoundary",
  8.     "iam:DeleteUserPermissionsBoundary"
  9.  ],
  10.  "Resource" : "*"
  11. },
  12. {
  13.  "SSid" : "PermitirOpercionesIAMVarias",
  14.  "Effect" : "Allow",
  15.  "Action" : [
  16.     "iam:Get*",
  17.     "iam:List*",
  18.     "iam:AddUserToGroup",
  19.     "iam:ChangePassword",
  20.     "iam:CreateAccessKey",
  21.     "iam:CreateGroup",
  22.     "iam:DeleteAccessKey",
  23.     "iam:DeleteGroup",
  24.     "iam:DeleteInstanceProfile",
  25.     "iam:DeleteLoginProfile",
  26.     "iam:GetAccessKeyLastUsed",
  27.     "iam:RemoveRoleFromInstanceProfile",
  28.     "iam:RemoveUserFromGroup",
  29.     "iam:SetDefaultPolicyVersion",
  30.     "iam:SimulateCustomPolicy",
  31.     "iam:SimulatePrincipalPolicy",
  32.     "iam:TagRole",
  33.     "iam:TagUser",
  34.     "iam:UntagRole",
  35.     "iam:UntagUser",
  36.     "iam:UpdateAccessKey",
  37.     "iam:UpdateAssumeRolePolicy",
  38.     "iam:UpdateRoleDescription"
  39.  ],
  40.  "Resource" : "*"
  41. },
  42. {
  43.  "SSid" : "PermitirOperacionesIAMPeroObligandoBoundary"
  44.  "Effect" : "Allow",
  45.  "Action" : [
  46.     "iam:AttachGroupPolicy",
  47.     "iam:AttachRolePolicy",
  48.     "iam:AttachUserPolicy",
  49.     "iam:CreateInstanceProfile",
  50.     "iam:CreateLoginProfile",
  51.     "iam:CreatePolicy",
  52.     "iam:CreatePolicyVersion",
  53.     "iam:CreateRole",
  54.     "iam:CreateUser",
  55.     "iam:DeleteGroupPolicy",
  56.     "iam:DeletePolicyVersion",
  57.     "iam:DeleteRole",
  58.     "iam:DeleteRolePolicy",
  59.     "iam:DeleteUser",
  60.     "iam:DeleteUserPolicy",
  61.     "iam:DetachGroupPolicy",
  62.     "iam:DetachRolePolicy",
  63.     "iam:DetachUserPolicy",
  64.     "iam:PutGroupPolicy",
  65.     "iam:PutRolePolicy",
  66.     "iam:PutUserPolicy",
  67.     "iam:UpdateGroup",
  68.     "iam:UpdateLoginProfile",
  69.     "iam:UpdateRole",
  70.     "iam:UpdateUser"
  71.  ],
  72.  "Resource": "arn:aws:iam::12345678:user/prefijodelnombredemisusuarios-*",
  73.  "Condition" {
  74.     "StringEquals" : {
  75.         "iam:PermissionBoundary" : "arn:aws:iam::12345678:policy/MiBoundaryLimitada"
  76.     }
  77.  }
  78. },
  79. {
  80.   "SSid" : ""
  81.   "Effect" : "Allow",
  82.   "Action" : [
  83.     "iam:PassRole",
  84.     "iam:AddRoleToInstanceProfile"
  85.   ]
  86.   "Resource" : "arn:aws:iam::12345678:user/prefijodelnombredemisusuarios-*"
  87. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top