diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceDeletePolicy.json index 7bca5146..f2fa1870 100644 --- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json +++ b/iam/clouds/aws/CloudGovernanceDeletePolicy.json @@ -1,169 +1,178 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "CostExplorer", - "Effect": "Allow", - "Action": [ - "ce:GetCostAndUsage", - "ce:GetCostForecast" - ], - "Resource": "*" - }, - { - "Sid": "EC2AccountLevel", - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags", - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws:ec2:*:account_id:instance/*", - "arn:aws:ec2:*:account_id:route-table/*", - "arn:aws:ec2:*:account_id:network-interface/*", - "arn:aws:ec2:*:account_id:internet-gateway/*", - "arn:aws:ec2:*:account_id:dhcp-options/*", - "arn:aws:ec2:*::snapshot/*", - "arn:aws:ec2:*:account_id:vpc/*", - "arn:aws:ec2:*:account_id:elastic-ip/*", - "arn:aws:ec2:*:account_id:network-acl/*", - "arn:aws:ec2:*:account_id:natgateway/*", - "arn:aws:ec2:*:account_id:security-group/*", - "arn:aws:ec2:*:account_id:vpc-endpoint/*", - "arn:aws:ec2:*:account_id:subnet/*", - "arn:aws:ec2:*:account_id:volume/*", - "arn:aws:ec2:*::image/*" - ] - }, - { - "Sid": "EC2ResourceLevel", - "Effect": "Allow", - "Action": [ - "ec2:DeregisterImage", - "ec2:DeleteSubnet", - "ec2:DeleteSnapshot", - "ec2:DescribeAddresses", - "ec2:DescribeInstances", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcPeeringConnection", - "autoscaling:DescribeLaunchConfigurations", - "ec2:DescribeRegions", - "ec2:CreateImage", - "ec2:CreateVpc", - "ec2:DescribeDhcpOptions", - "ec2:DescribeSnapshots", - "ec2:DeleteRouteTable", - "ec2:DescribeInternetGateways", - "ec2:DeleteVolume", - "ec2:DescribeNetworkInterfaces", - "autoscaling:DescribeAutoScalingGroups", - "ec2:DescribeVolumes", - "ec2:DeleteInternetGateway", - "ec2:DescribeNetworkAcls", - "ec2:DescribeRouteTables", - "ec2:DeleteNetworkAcl", - "ec2:ReleaseAddress", - "ec2:AssociateDhcpOptions", - "ec2:TerminateInstances", - "ec2:DetachNetworkInterface", - "ec2:DescribeTags", - "ec2:DescribeVpcPeeringConnections", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:DeleteNetworkInterface", - "ec2:DetachInternetGateway", - "ec2:DescribeNatGateways", - "cloudwatch:GetMetricStatistics", - "ec2:StopInstances", - "ec2:DisassociateRouteTable", - "ec2:DescribeSecurityGroups", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeImages", - "ec2:DescribeVpcs", - "ec2:DeleteSecurityGroup", - "ec2:DescribeInstanceTypes", - "ec2:DeleteDhcpOptions", - "ec2:DeleteNatGateway", - "ec2:DescribeVpcEndpoints", - "ec2:DeleteVpc", - "ec2:DescribeSubnets" - ], - "Resource": "*" - }, - { - "Sid": "LoadBalancer", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:DescribeLoadBalancers" - ], - "Resource": "*" - }, - { - "Sid": "IAM", - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:DeleteAccessKey", - "iam:DeleteGroup", - "iam:TagRole", - "iam:DeleteUserPolicy", - "iam:ListRoles", - "iam:DeleteUser", - "iam:ListUserPolicies", - "iam:CreateUser", - "iam:TagUser", - "sts:AssumeRole", - "iam:RemoveUserFromGroup", - "iam:GetUserPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListUsers", - "iam:GetUser", - "iam:ListAccessKeys", - "iam:ListRolePolicies", - "iam:ListAccountAliases" - ], - "Resource": "*" - }, - { - "Sid": "Pricing", - "Effect": "Allow", - "Action": "pricing:GetProducts", - "Resource": "*" - }, - { - "Sid": "S3Bucket", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListAllMyBuckets", - "s3:CreateBucket", - "s3:ListBucket", - "s3:PutObjectTagging", - "s3:DeleteObject", - "s3:DeleteBucket", - "s3:putBucketTagging", - "s3:GetBucketTagging", - "s3:GetBucketLocation" - ], - "Resource": "*" - }, - { - "Sid": "CloudTrail", - "Effect": "Allow", - "Action": [ - "cloudtrail:LookupEvents", - "cloudtrail:ListTrails" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatch", - "Effect": "Allow", - "Action": "cloudwatch:GetMetricData", - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": [ + "ce:GetCostAndUsage", + "ce:GetCostForecast" + ], + "Resource": "*" + }, + { + "Sid": "EC2AccountLevel", + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags", + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:account_id:instance/*", + "arn:aws:ec2:*:account_id:route-table/*", + "arn:aws:ec2:*:account_id:network-interface/*", + "arn:aws:ec2:*:account_id:internet-gateway/*", + "arn:aws:ec2:*:account_id:dhcp-options/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*:account_id:vpc/*", + "arn:aws:ec2:*:account_id:elastic-ip/*", + "arn:aws:ec2:*:account_id:network-acl/*", + "arn:aws:ec2:*:account_id:natgateway/*", + "arn:aws:ec2:*:account_id:security-group/*", + "arn:aws:ec2:*:account_id:vpc-endpoint/*", + "arn:aws:ec2:*:account_id:subnet/*", + "arn:aws:ec2:*:account_id:volume/*", + "arn:aws:ec2:*::image/*" + ] + }, + { + "Sid": "EC2ResourceLevel", + "Effect": "Allow", + "Action": [ + "ec2:DeregisterImage", + "ec2:DeleteSubnet", + "ec2:DeleteSnapshot", + "ec2:DescribeAddresses", + "ec2:DescribeInstances", + "ec2:DeleteVpcEndpoints", + "ec2:DeleteVpcPeeringConnection", + "autoscaling:DescribeLaunchConfigurations", + "ec2:DescribeRegions", + "ec2:CreateImage", + "ec2:CreateVpc", + "ec2:DescribeDhcpOptions", + "ec2:DescribeSnapshots", + "ec2:DeleteRouteTable", + "ec2:DescribeInternetGateways", + "ec2:DeleteVolume", + "ec2:DescribeNetworkInterfaces", + "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeVolumes", + "ec2:DeleteInternetGateway", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DeleteNetworkAcl", + "ec2:ReleaseAddress", + "ec2:AssociateDhcpOptions", + "ec2:TerminateInstances", + "ec2:DetachNetworkInterface", + "ec2:DescribeTags", + "ec2:DescribeVpcPeeringConnections", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:DeleteNetworkInterface", + "ec2:DetachInternetGateway", + "ec2:DescribeNatGateways", + "ec2:StopInstances", + "ec2:DisassociateRouteTable", + "ec2:DescribeSecurityGroups", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeImages", + "ec2:DescribeVpcs", + "ec2:DeleteSecurityGroup", + "ec2:DescribeInstanceTypes", + "ec2:DeleteDhcpOptions", + "ec2:DeleteNatGateway", + "ec2:DescribeVpcEndpoints", + "ec2:DeleteVpc", + "ec2:DescribeSubnets" + ], + "Resource": "*" + }, + { + "Sid": "LoadBalancer", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:DescribeLoadBalancers" + ], + "Resource": "*" + }, + { + "Sid": "IAM", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:DeleteAccessKey", + "iam:DeleteGroup", + "iam:TagRole", + "iam:DeleteUserPolicy", + "iam:ListRoles", + "iam:DeleteUser", + "iam:ListUserPolicies", + "iam:CreateUser", + "iam:TagUser", + "sts:AssumeRole", + "iam:RemoveUserFromGroup", + "iam:GetUserPolicy", + "iam:ListAttachedRolePolicies", + "iam:ListUsers", + "iam:GetUser", + "iam:ListAccessKeys", + "iam:ListRolePolicies", + "iam:ListAccountAliases", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:DeletePolicy", + "iam:DeleteRolePolicy", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Sid": "Pricing", + "Effect": "Allow", + "Action": "pricing:GetProducts", + "Resource": "*" + }, + { + "Sid": "S3Bucket", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListAllMyBuckets", + "s3:CreateBucket", + "s3:ListBucket", + "s3:PutObjectTagging", + "s3:DeleteObject", + "s3:DeleteBucket", + "s3:putBucketTagging", + "s3:GetBucketTagging", + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Sid": "CloudTrail", + "Effect": "Allow", + "Action": [ + "cloudtrail:LookupEvents", + "cloudtrail:ListTrails" + ], + "Resource": "*" + }, + { + "Sid": "CloudWatch", + "Effect": "Allow", + "Action": [ + "cloudwatch:GetMetricStatistics", + "cloudwatch:GetMetricData" + ], + "Resource": "*" + } + ] } diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceReadPolicy.json new file mode 100644 index 00000000..a67c8b89 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceReadPolicy.json @@ -0,0 +1,140 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CostExplorer", + "Effect": "Allow", + "Action": [ + "ce:GetCostAndUsage", + "ce:GetCostForecast" + ], + "Resource": "*" + }, + { + "Sid": "EC2AccountLevel", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:account_id:instance/*", + "arn:aws:ec2:*:account_id:route-table/*", + "arn:aws:ec2:*:account_id:network-interface/*", + "arn:aws:ec2:*:account_id:internet-gateway/*", + "arn:aws:ec2:*:account_id:dhcp-options/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*:account_id:vpc/*", + "arn:aws:ec2:*:account_id:elastic-ip/*", + "arn:aws:ec2:*:account_id:network-acl/*", + "arn:aws:ec2:*:account_id:natgateway/*", + "arn:aws:ec2:*:account_id:security-group/*", + "arn:aws:ec2:*:account_id:vpc-endpoint/*", + "arn:aws:ec2:*:account_id:subnet/*", + "arn:aws:ec2:*:account_id:volume/*", + "arn:aws:ec2:*::image/*" + ] + }, + { + "Sid": "EC2ResourceLevel", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAddresses", + "ec2:DescribeInstances", + "autoscaling:DescribeLaunchConfigurations", + "ec2:DescribeRegions", + "ec2:DescribeDhcpOptions", + "ec2:DescribeSnapshots", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfaces", + "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeVolumes", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:ReleaseAddress", + "ec2:AssociateDhcpOptions", + "ec2:DescribeTags", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeNatGateways", + "ec2:DescribeSecurityGroups", + "ec2:DescribeImages", + "ec2:DescribeVpcs", + "ec2:DescribeInstanceTypes", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeSubnets" + ], + "Resource": "*" + }, + { + "Sid": "LoadBalancer", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:DescribeLoadBalancers" + ], + "Resource": "*" + }, + { + "Sid": "IAM", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:TagRole", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:CreateUser", + "iam:TagUser", + "iam:GetUserPolicy", + "iam:ListAttachedRolePolicies", + "iam:ListUsers", + "iam:GetUser", + "iam:ListAccessKeys", + "iam:ListRolePolicies", + "iam:ListAccountAliases", + "iam:ListInstanceProfilesForRole", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Sid": "Pricing", + "Effect": "Allow", + "Action": "pricing:GetProducts", + "Resource": "*" + }, + { + "Sid": "S3Bucket", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListAllMyBuckets", + "s3:CreateBucket", + "s3:ListBucket", + "s3:PutObjectTagging", + "s3:putBucketTagging", + "s3:GetBucketTagging", + "s3:GetBucketLocation" + ], + "Resource": "*" + }, + { + "Sid": "CloudTrail", + "Effect": "Allow", + "Action": [ + "cloudtrail:LookupEvents", + "cloudtrail:ListTrails" + ], + "Resource": "*" + }, + { + "Sid": "CloudWatch", + "Effect": "Allow", + "Action": [ + "cloudwatch:GetMetricData", + "cloudwatch:GetMetricStatistics" + ], + "Resource": "*" + } + ] +}