Updates AWS managed policies

udondan · Sep 4, 2024 · 432e443 · 432e443
1 parent 7ffcbb1
commit 432e443
Show file tree

Hide file tree

Showing 34 changed files with 744 additions and 59 deletions.
diff --git a/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
@@ -0,0 +1,73 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Action": [
+        "cloudtrail:LookupEvents",
+        "ec2:RequestSpotInstances",
+        "ec2:RunInstances",
+        "ec2:StartInstances",
+        "iam:AddUserToGroup",
+        "iam:AttachGroupPolicy",
+        "iam:AttachRolePolicy",
+        "iam:AttachUserPolicy",
+        "iam:ChangePassword",
+        "iam:CreateAccessKey",
+        "iam:CreateInstanceProfile",
+        "iam:CreateLoginProfile",
+        "iam:CreatePolicyVersion",
+        "iam:CreateRole",
+        "iam:CreateUser",
+        "iam:DetachUserPolicy",
+        "iam:PassRole",
+        "iam:PutGroupPolicy",
+        "iam:PutRolePolicy",
+        "iam:PutUserPermissionsBoundary",
+        "iam:PutUserPolicy",
+        "iam:SetDefaultPolicyVersion",
+        "iam:UpdateAccessKey",
+        "iam:UpdateAccountPasswordPolicy",
+        "iam:UpdateAssumeRolePolicy",
+        "iam:UpdateLoginProfile",
+        "iam:UpdateUser",
+        "lambda:AddLayerVersionPermission",
+        "lambda:AddPermission",
+        "lambda:CreateFunction",
+        "lambda:GetPolicy",
+        "lambda:ListTags",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:UpdateFunctionCode",
+        "lightsail:Create*",
+        "lightsail:Delete*",
+        "lightsail:DownloadDefaultKeyPair",
+        "lightsail:GetInstanceAccessDetails",
+        "lightsail:Start*",
+        "lightsail:Update*",
+        "organizations:CreateAccount",
+        "organizations:CreateOrganization",
+        "organizations:InviteAccountToOrganization",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:DeleteObjectVersion",
+        "s3:PutLifecycleConfiguration",
+        "s3:PutBucketAcl",
+        "s3:PutBucketOwnershipControls",
+        "s3:DeleteBucketPolicy",
+        "s3:ObjectOwnerOverrideToBucketOwner",
+        "s3:PutAccountPublicAccessBlock",
+        "s3:PutBucketPolicy",
+        "s3:ListAllMyBuckets",
+        "ec2:PurchaseReservedInstancesOffering",
+        "ec2:AcceptReservedInstancesExchangeQuote",
+        "ec2:CreateReservedInstancesListing",
+        "savingsplans:CreateSavingsPlan"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json b/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
@@ -2,6 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "DataExchangeActions",
       "Effect": "Allow",
       "Action": [
         "dataexchange:CreateDataSet",
@@ -16,12 +17,14 @@
         "dataexchange:PublishDataSet",
         "dataexchange:SendApiAsset",
         "dataexchange:RevokeRevision",
+        "dataexchange:SendDataSetNotification",
         "tag:GetTagKeys",
         "tag:GetTagValues"
       ],
       "Resource": "*"
     },
     {
+      "Sid": "DataExchangeJobsActions",
       "Effect": "Allow",
       "Action": [
         "dataexchange:CreateJob",
@@ -43,6 +46,7 @@
       }
     },
     {
+      "Sid": "S3GetActionConditionalResourceAndADX",
       "Effect": "Allow",
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::*aws-data-exchange*",
@@ -55,6 +59,7 @@
       }
     },
     {
+      "Sid": "S3GetActionConditionalTagAndADX",
       "Effect": "Allow",
       "Action": "s3:GetObject",
       "Resource": "*",
@@ -70,6 +75,7 @@
       }
     },
     {
+      "Sid": "S3WriteActions",
       "Effect": "Allow",
       "Action": [
         "s3:PutObject",
@@ -85,6 +91,7 @@
       }
     },
     {
+      "Sid": "S3ReadActions",
       "Effect": "Allow",
       "Action": [
         "s3:GetBucketLocation",
@@ -94,6 +101,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "AWSMarketplaceActions",
       "Effect": "Allow",
       "Action": [
         "aws-marketplace:DescribeEntity",
@@ -113,6 +121,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "KMSActions",
       "Effect": "Allow",
       "Action": [
         "kms:DescribeKey",
@@ -122,6 +131,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "RedshiftConditionalActions",
       "Effect": "Allow",
       "Action": [
         "redshift:AuthorizeDataShare"
@@ -134,6 +144,7 @@
       }
     },
     {
+      "Sid": "RedshiftActions",
       "Effect": "Allow",
       "Action": [
         "redshift:DescribeDataSharesForProducer",
@@ -142,6 +153,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "APIGatewayActions",
       "Effect": "Allow",
       "Action": [
         "apigateway:GET"

diff --git a/docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
@@ -0,0 +1,210 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PermissionsToCreatePCSNetworkInterfaces",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface"
+      ],
+      "Resource": "arn:aws:ec2:*:*:network-interface/*",
+      "Condition": {
+        "Null": {
+          "aws:RequestTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToCreatePCSNetworkInterfacesInSubnet",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:subnet/*",
+        "arn:aws:ec2:*:*:security-group/*"
+      ]
+    },
+    {
+      "Sid": "PermissionsToManagePCSNetworkInterfaces",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteNetworkInterface",
+        "ec2:CreateNetworkInterfacePermission"
+      ],
+      "Resource": "arn:aws:ec2:*:*:network-interface/*",
+      "Condition": {
+        "Null": {
+          "aws:ResourceTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToDescribePCSResources",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeLaunchTemplates",
+        "ec2:DescribeLaunchTemplateVersions",
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstanceStatus",
+        "ec2:DescribeInstanceAttribute",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeKeyPairs",
+        "ec2:DescribeImages",
+        "ec2:DescribeImageAttribute"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "PermissionsToCreatePCSLaunchTemplates",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateLaunchTemplate"
+      ],
+      "Resource": "arn:aws:ec2:*:*:launch-template/*",
+      "Condition": {
+        "Null": {
+          "aws:RequestTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToManagePCSLaunchTemplates",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteLaunchTemplate",
+        "ec2:DeleteLaunchTemplateVersions",
+        "ec2:CreateLaunchTemplateVersion"
+      ],
+      "Resource": "arn:aws:ec2:*:*:launch-template/*",
+      "Condition": {
+        "Null": {
+          "aws:ResourceTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToTerminatePCSManagedInstances",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:TerminateInstances"
+      ],
+      "Resource": "arn:aws:ec2:*:*:instance/*",
+      "Condition": {
+        "Null": {
+          "aws:ResourceTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToPassRoleToEC2",
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": [
+        "arn:aws:iam::*:role/*/AWSPCS*",
+        "arn:aws:iam::*:role/AWSPCS*",
+        "arn:aws:iam::*:role/aws-pcs/*",
+        "arn:aws:iam::*:role/*/aws-pcs/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "iam:PassedToService": [
+            "ec2.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToControlClusterInstanceAttributes",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances",
+        "ec2:CreateFleet"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*::image/*",
+        "arn:aws:ec2:*::snapshot/*",
+        "arn:aws:ec2:*:*:subnet/*",
+        "arn:aws:ec2:*:*:network-interface/*",
+        "arn:aws:ec2:*:*:security-group/*",
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:key-pair/*",
+        "arn:aws:ec2:*:*:launch-template/*",
+        "arn:aws:ec2:*:*:placement-group/*",
+        "arn:aws:ec2:*:*:capacity-reservation/*",
+        "arn:aws:resource-groups:*:*:group/*",
+        "arn:aws:ec2:*:*:fleet/*",
+        "arn:aws:ec2:*:*:spot-instances-request/*"
+      ]
+    },
+    {
+      "Sid": "PermissionsToProvisionClusterInstances",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances",
+        "ec2:CreateFleet"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:instance/*"
+      ],
+      "Condition": {
+        "Null": {
+          "aws:RequestTag/AWSPCSManaged": "false"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToTagPCSResources",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "ec2:CreateAction": [
+            "RunInstances",
+            "CreateLaunchTemplate",
+            "CreateFleet",
+            "CreateNetworkInterface"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToPublishMetrics",
+      "Effect": "Allow",
+      "Action": "cloudwatch:PutMetricData",
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "cloudwatch:namespace": "AWS/PCS"
+        }
+      }
+    },
+    {
+      "Sid": "PermissionsToManageSecret",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:UpdateSecretVersionStage",
+        "secretsmanager:DeleteSecret"
+      ],
+      "Resource": "arn:aws:secretsmanager:*:*:secret:pcs!*",
+      "Condition": {
+        "StringEquals": {
+          "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "pcs",
+          "aws:ResourceAccount": "${aws:PrincipalAccount}"
+        }
+      }
+    }
+  ]
+}
diff --git a/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
@@ -5,7 +5,8 @@
       "Sid": "CloudTrailEventsAccess",
       "Effect": "Allow",
       "Action": [
-        "cloudtrail:CreateServiceLinkedChannel"
+        "cloudtrail:CreateServiceLinkedChannel",
+        "cloudtrail:GetServiceLinkedChannel"
       ],
       "Resource": [
         "arn:aws:cloudtrail:*:*:channel/aws-service-channel/resource-explorer-2/*"