Security
AWS Blu Age Standard Delivery Environment CDKs Deployment
AWS Blu Age Standard Delivery Environment (SDE) is deployed using CDK (Cloud Development Kit) scripts. The account on which these CDKs are deployed need to be CDK Bootstrap. (https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html)
Bootstrapping prepares your AWS environment by provisioning specific AWS resources in your environment that are used by the AWS CDK. They include the following:
- Amazon Simple Storage Service (Amazon S3) bucket – Used to store your CDK project files, such as AWS Lambda function code and assets.
- Amazon Elastic Container Registry (Amazon ECR) repository – Used primarily to store Docker images.
- AWS Identity and Access Management (IAM) roles – Configured to grant permissions needed by the AWS CDK to perform deployments. For more information about the IAM roles created during bootstrapping, see IAM roles created during bootstrapping.
By default, cdk-hnb659fds-cfn-exec-role-<accountID>-<Region> IAM Role with AdministratorAccess policy is created at bootstrap.
To minimize the permissions and access granted to any single role or entity, in order to enhance the overall security of the deployment.it is recommended to apply the principle of least privilege - only granting the minimum permissions necessary for a role to perform its required tasks to deploy AWS Blu Age SDE CDKs
- Use the
cdk-hnb659fds-cfn-exec-role-<accountID>-<Region>IAM Role default role but attach the scoped-down policies provided below Create a dedicated role with the scoped-down policies provided below and use this role to deploy AWS Blu Age SDE CDKs
AWS Blu Age Devops Setup (DOS) CDK Deployment policies
- cdkCFExecutionBootstrapPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RoleDeploymentAccess",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": [
"arn:aws:iam::*:policy/cdkCFExecution*",
"arn:aws:iam::*:role/BluS3Stack-customresourcerole*",
"arn:aws:iam::*:role/BluVpcStack-CustomVpcRestrictDefaultSGCustomResourc*",
"arn:aws:iam::*:role/BluDevEC2Template-devec2role*",
"arn:aws:iam::*:role/BluLambda-ModifyIMDS*",
"arn:aws:iam::*:role/BluAutoupdateLT-BluAge-De-lambdaRoleBluAgeDeveloper*",
"arn:aws:iam::*:role/frugal-iam*"
]
},
{
"Sid": "SSMDeploymentAccess",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*/version"
]
},
{
"Sid": "S3DeploymentAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cdk-*-assets-*/*"
]
}
]
}
- cdkCFExecutionCertificateStackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCertificate",
"Effect": "Allow",
"Action": [
"acm-pca:CreateCertificateAuthority",
"acm-pca:TagCertificateAuthority"
],
"Resource": [
"arn:aws:acm-pca:*:*:certificate-authority/*"
]
},
{
"Sid": "BluCertificateParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/bluage/resource/certificate/arn/*",
"arn:aws:ssm:*:*:parameter/bluage/resource/certificate/pem/*"
]
}
]
}
- cdkCFExecutionFirewallStackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BluFirewallStack",
"Effect": "Allow",
"Action": [
"network-firewall:CreateRuleGroup",
"network-firewall:DescribeRuleGroup",
"network-firewall:DeleteRuleGroup",
"network-firewall:AssociateFirewallPolicy",
"network-firewall:CreateFirewallPolicy",
"network-firewall:DeleteFirewallPolicy",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:ListRuleGroups",
"network-firewall:CreateFirewall",
"network-firewall:DeleteFirewall",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:UpdateLoggingConfiguration"
],
"Resource":
[
"arn:aws:network-firewall:*:*:stateful-rulegroup/BluWindowsUpdateRuleGroup",
"arn:aws:network-firewall:*:*:stateful-rulegroup/BluSupportServicesRuleGroup",
"arn:aws:network-firewall:*:*:firewall/BluVpcFirewall",
"arn:aws:network-firewall:*:*:firewall/BluVpcFirewall",
"arn:aws:network-firewall:*:*:firewall-policy/BluVpcFirewallPolicy"
]
},
{
"Sid": "BluFirewallserviceRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/network-firewall.amazonaws.com/AWSServiceRoleForNetworkFirewall"
]
},
{
"Sid": "BluFirewallStackParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource":
[
"arn:aws:ssm:*:*:parameter/BluPoc/BluFirewall/*/endpoint"
]
},
{
"Sid": "BluFirewallStackLogs",
"Effect": "Allow",
"Action": [
"logs:ListLogDeliveries",
"logs:UpdateLogDelivery",
"logs:GetLogDelivery"
],
"Resource":
[
"*"
]
}
]
}
- cdkCFExecutionFrugalStackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BluFrugalStackLambda",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:instance-scheduler-*"
]
},
{
"Sid": "BluFrugalStackParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/bluage/resource/scheduler/*"
]
},
{
"Sid": "BluFrugalStackLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/instance-scheduler-*"
]
},
{
"Sid": "BluFrugalStackTopic",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes"
],
"Resource": [
"arn:aws:sns:*:*:LandingZone-EC2-report-topic"
]
},
{
"Sid": "BluFrugalStackEvents",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/instance-scheduler-*"
]
}
]
}
- cdkCFExecutionOtherStackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BluVpcEndpoints",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "*"
},
{
"Sid": "BluIamAssets",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DeleteRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/BluAge_Project_Manager_IAM_Role_*",
"arn:aws:iam::*:role/BluAge_Developer_IAM_Role_*",
"arn:aws:iam::*:role/BluModifyIMDSStack*",
"arn:aws:iam::*:role/BluAutoupdateLT-BluAge*"
]
},
{
"Sid": "BluIamAssetsSSMDocument",
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:GetDocument",
"ssm:ListTagsForResource"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWSBluageEC2PortForwarding"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/BluModifyIMDSStack*",
"arn:aws:iam::*:role/BluAutoupdateLT-BluAge*"
]
},
{
"Sid": "BluDevEC2Template",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate"
],
"Resource": "*"
},
{
"Sid": "BluDevEC2TemplateRole",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/BluDevEC2Template-devec2role*",
"arn:aws:iam::*:instance-profile/dev-instance-profile-*"
]
},
{
"Sid": "BluModifyIMDSStack",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction",
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/BluModifyIMDSStack*",
"arn:aws:lambda:*:*:function:BluModifyIMDSStack*"
]
},
{
"Sid": "BluAutoupdateLTBluAgeDeveloperInstance",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction",
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": [
"arn:aws:events:*:*:rule/BluAutoUpdateLaunchTemplateDev*",
"arn:aws:lambda:*:*:function:Blu_AutoupdateLT-BluAge-*",
"arn:aws:lambda:*:*:function:blu_autoupdateAMI-BluAge-*",
"arn:aws:lambda:*:*:function:BluAutoupdateLT-BluAge-*",
"arn:aws:ssm:*:*:parameter/LT/BluAge_PLZ_Dev_Env_Recipe"
]
},
{
"Sid": "BluSsmPatchingStack",
"Effect": "Allow",
"Action": [
"ssm:CreateAssociation",
"ssm:DeleteAssociation"
],
"Resource": "*"
}
]
}
- cdkCFExecutionS3StackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BluS3StackLambda",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:BluS3Stack-*"
]
},
{
"Sid": "BluS3StackBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketLogging",
"s3:PutObjectRetention",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::bluage-access-log-bucket-*",
"arn:aws:s3:::bluage-customer-bucket-*",
"arn:aws:s3:::ba-firewall-log-*",
"arn:aws:s3:::bluage-testbucket-*"
]
}
]
}
- cdkCFExecutionVPCStackPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BluVpcStack",
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:DescribeVpcs",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:DescribeAddresses",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DescribeInternetGateways",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifyVpcAttribute",
"ec2:DescribeVpcAttribute",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:ModifySubnetAttribute",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:DisassociateRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:CreateFlowLogs",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs"
],
"Resource": "*"
},
{
"Sid": "BluVpcStackBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetObject",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketLogging",
"s3:PutObjectRetention",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketOwnershipControls"
],
"Resource":
[
"arn:aws:s3:::ba-poc-flowlogs*"
]
},
{
"Sid": "BluVpcStackLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "*"
},
{
"Sid": "BluVpcStackLambda",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:BluVpcStack-CustomVpc*"
]
}
]
}
AWS Blu Age Devops Pipeline (DOP) CDK Deployment policies
- iam-policy-cdk-deployment-cloudformation
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:GetTemplate",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteStack"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-codepipeline
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:ListPipelineExecutions",
"codepipeline:StartPipelineExecution"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:ModifyVpcEndpoint",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeVpnGateways"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:PutRegistryScanningConfiguration",
"ecr:DescribeImages",
"ecr:BatchDeleteImage"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeTaskDefinition",
"ecs:RegisterTaskDefinition",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyTargetGroup"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-efs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-firewalls
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-firewall:ListRuleGroups",
"network-firewall:CreateRuleGroup",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeRuleGroup",
"network-firewall:UpdateRuleGroup",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:UpdateFirewallPolicy",
"network-firewall:UpdateFirewallPolicyChangeProtection"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-iam
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/iam-role-inner-cdk-deployment",
"arn:aws:iam::*:role/iam-role-ecs-task-app",
"arn:aws:iam::*:role/iam-role-ecs-task-execution"
]
}
]
}
- iam-policy-cdk-deployment-kms
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"*"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-route53
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZonesByName",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:List*",
"s3:Put*",
"s3:Get*",
"s3:Delete*"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-secretsmanager
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-sns
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:SetTopicAttributes"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-cdk-deployment-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters"
],
"Resource": [
"*"
]
}
]
}
iam-role-inner-cdk-deployment
- iam-policy-inner-cdk-deployment-cloudwatch
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:PutRetentionPolicy"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-codeartifact
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:CreateDomain",
"codeartifact:CreateRepository",
"codeartifact:DeleteDomain",
"codeartifact:DeleteRepository",
"codeartifact:AssociateExternalConnection",
"codeartifact:AssociateWithDownstreamRepository",
"codeartifact:DisassociateExternalConnection",
"codeartifact:DescribeDomain",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListTagsForResource",
"codeartifact:DescribeRepository",
"codeartifact:GetRepositoryPermissionsPolicy"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-codebuild
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:CreateProject",
"codebuild:DeleteProject"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-codedeploy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codedeploy:CreateApplication",
"codedeploy:CreateDeploymentGroup",
"codedeploy:DeleteApplication",
"codedeploy:DeleteDeploymentGroup",
"codedeploy:GetDeploymentGroup"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-codepipeline
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:CreatePipeline",
"codepipeline:DeletePipeline",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:CreateLaunchTemplate",
"ec2:CreateManagedPrefixList",
"ec2:CreateSecurityGroup",
"ec2:DeleteManagedPrefixList",
"ec2:DeleteSecurityGroup",
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteLaunchTemplate",
"ec2:GetManagedPrefixListEntries",
"dlm:TagResource",
"dlm:CreateLifecyclePolicy"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:CreatePullThroughCacheRule",
"ecr:DeleteRepository",
"ecr:DeletePullThroughCacheRule"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:CreateService",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:DeleteTaskDefinitions",
"ecs:CreateTaskSet",
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:DescribeClusters",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeCapacityProviders",
"ecs:CreateCapacityProvider",
"ecs:DeleteCapacityProvider",
"ecs:PutClusterCapacityProviders"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteLifecycleHook",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-efs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:TagResource",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:PutLifecycleConfiguration",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-eventbridge
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-iam
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:GetRole",
"iam:GetPolicy",
"iam:GetInstanceProfile",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:TagRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/iam-role-*",
"arn:aws:iam::*:role/BluDevEC2Template-*",
"arn:aws:iam::*:role/GitlabECSStack-ECSCluster*",
"arn:aws:iam::*:role/AccountInitializationCode-codepipelinedocker*",
"arn:aws:iam::*:role/BuildingPipelineS3Stack-BucketNotifications*",
"arn:aws:iam::*:role/BuildingPipelineECSStack-ECSCluster*",
"arn:aws:iam::*:role/BuildingPipelineCodepipel-codepipeline*",
"arn:aws:iam::*:role/TestingPipelineECSStack-ECSCluster*",
"arn:aws:iam::*:role/TestingPipelineCodepipeli-codepipelinejenkins*"
]
}
]
}
- iam-policy-inner-cdk-deployment-kms
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DeleteAlias",
"kms:CreateAlias",
"kms:ScheduleKeyDeletion",
"kms:DescribeKey",
"kms:PutKeyPolicy",
"kms:EnableKeyRotation"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutBucketLogging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketNotification",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-secretsmanager
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:GetRandomPassword",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-sns
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:GetTopicAttributes",
"sns:CreateTopic",
"sns:TagResource",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": [
"*"
]
}
]
}
- iam-policy-inner-cdk-deployment-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"*"
]
}
]
}
AWS Blu Age Regression Testing Snapshots (RTS) CDK Deployment policies
- cdkCFExecutionRTSCognitoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cognitocreateuserpool",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateUserPool"
],
"Resource": [
"*"
]
},
{
"Sid": "cognito",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateUserPoolClient",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:DeleteUserPoolDomain",
"cognito-idp:DeleteUserPoolClient"
],
"Resource": [
"arn:aws:cognito-idp:*:*:userpool/*"
]
},
{
"Sid": "cognitoPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/cdk*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "cognito-identity.amazonaws.com"
}
}
}
]
}
- cdkCFExecutionRTSIAMPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RoleDeploymentAccess",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:policy/cdkCFExecution*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStac-SshSecretsManager*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStack-DWSINSTANCESROLE*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStac-CustomS3AutoDeleteObjects*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStac-CustomCDKBucketDeployment*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStac-LogRetention*",
"arn:aws:iam::*:role/rts-cdk-BaseResNestedStac-sshSmCustomResourceLambda*",
"arn:aws:iam::*:instance-profile/rts-cdk-BaseResNestedStack*",
"arn:aws:iam::*:role/rts-cdk-S3ResNestedStackS-RTSBucketCustomResource*",
"arn:aws:iam::*:role/rts-cdk-S3ResNestedStackS-LogRetention*",
"arn:aws:iam::*:role/rts-cdk-S3ResNestedStackS-BucketCustomResource*",
"arn:aws:iam::*:role/rts-manager",
"arn:aws:iam::*:role/rtscdkAppDwsManager*",
"arn:aws:iam::*:role/ec2iamgeneratorrole",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"arn:aws:iam::*:instance-profile/rtscdkAppDwsManager*"
]
},
{
"Sid": "ExecuteNestedStack",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*"
]
}
]
}
- cdkCFExecutionRTSManagerPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMDeploymentAccess",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*/version"
]
},
{
"Sid": "S3DeploymentAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cdk-*-assets-*/*"
]
},
{
"Sid": "ExecuteStack",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/rts-cdk-BaseResNestedStack*/*",
"arn:aws:cloudformation:*:*:stack/rts-cdk-S3ResNestedStack*/*",
"arn:aws:cloudformation:*:*:stack/rtscdkAppDwsManagerRes2D7BB19B*/*",
"arn:aws:cloudformation:*:*:stack/rts-cdk-cognito*/*"
]
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:*:layer:DeployAppBinaries*",
"arn:aws:lambda:*:*:function:rts-cdk-BaseResNestedStac*",
"arn:aws:lambda:*:*:layer:DeployDockerCompose*",
"arn:aws:lambda:*:*:function:rts-cdk-S3ResNestedStackS-RTSBucketCustomResource*",
"arn:aws:lambda:*:*:function:rts-cdk-S3ResNestedStackS-LogRetention*",
"arn:aws:lambda:*:*:function:rts-cdk-S3ResNestedStackS-BucketCustomResource*",
"arn:aws:lambda:*:*:function:rtscdkAppDwsManager*"
]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy"
],
"Resource": [
"arn:aws:s3:::rts-cdk-baseresnestedstac*"
]
},
{
"Sid": "SSM",
"Effect": "Allow",
"Action": [
"ssm:DeleteParameter",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/EDR/DISK/DEFINITION/TYPE",
"arn:aws:ssm:*:*:parameter/EDR/DB/INSTANCE/LAUNCHTEMPLATE",
"arn:aws:ssm:*:*:parameter/EDR/CONFIG",
"arn:aws:ssm:*:*:parameter/EDR/DISK/DEFINITION/IOPS",
"arn:aws:ssm:*:*:parameter/EDR/DOCKER/COMPOSE/S3",
"arn:aws:ssm:*:*:parameter/EDR/INSTANCE/TYPES",
"arn:aws:ssm:*:*:parameter/EDR/RDS/INSTANCE/CLASSES",
"arn:aws:ssm:*:*:parameter/EDR/DOCKER/COMPOSE/YAML",
"arn:aws:ssm:*:*:parameter/EDR/DOCKER/COMPOSE/INSTANCES",
"arn:aws:ssm:*:*:parameter/EDR/RDS/CONFIGURATION/POSTGRES",
"arn:aws:ssm:*:*:parameter/EDR/DB/SECRETMANAGER/SSH/KEY",
"arn:aws:ssm:*:*:parameter/EDR/DNS/KEY"
]
},
{
"Sid": "All",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"route53:CreateHostedZone",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "SecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeAccountAttributes"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:launch-template/*"
]
},
{
"Sid": "SecretManager",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:rts/sha-docker-compose*"
]
},
{
"Sid": "route53",
"Effect": "Allow",
"Action": [
"route53:ListQueryLoggingConfigs",
"route53:DeleteHostedZone",
"route53:GetChange"
],
"Resource": [
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*"
]
},
{
"Sid": "ELB",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
]
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/DWS-MANAGER-KEY-PAIR",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/*"
]
}
]
}
AWS Blu Age SDE deployed roles by CDKs Scripts
This document describes all IAM roles and associated policies that are created and used by components deployed by AWS Blu Age Standard Delivery Environment CDKs
List of IAM Roles created by AWS Blu Age DevOps Setup CDKs scripts
Role used by instance-scheduler-on-landingzone-function Lambda Function
- IAM Policy for
frugal-iam-${region]-${AccountID}-roleIAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Resource": "*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:resumeProcesses"
],
"Resource": "arn:aws:autoscaling:eu-west-3:381492295584:autoScalingGroup:*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-3:381492295584:log-group:/aws/lambda/instance-scheduler-on-landingzone-function:*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"ec2:Region": "eu-west-3"
}
},
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:eu-west-3:381492295584:instance/*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sns:publish",
"Resource": "arn:aws:sns:eu-west-3:381492295584:*",
"Effect": "Allow"
}
]
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-3:381492295584:parameter/bluage/resource/scheduler/*",
"Effect": "Allow"
}
]
}
- IAM Policy Trust relationships for
frugal-iam-${region]-${AccountID}-roleIAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Role used for
instance-scheduler-on-landingzone-functionLambda Function
this.lambdaRole = new iam.Role(scope, "frugal-lambda-role", {
roleName: `${id}-${Stack.of(scope).region}-${Stack.of(scope).account}-role`,
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
inlinePolicies: {
ec2DescPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"ec2:DescribeInstances",
],
resources: ["*"],
conditions: {
StringEquals: {
"ec2:Region": `${Stack.of(scope).region}`
}
}
})],
}),
ec2Policy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstanceAttribute",
],
resources: [`arn:aws:ec2:${Stack.of(scope).region}:${Stack.of(scope).account}:instance/*`],
})],
}),
asgDescPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"autoscaling:DescribeAutoScalingGroups",
],
resources: ["*"],
})],
}),
asgPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"autoscaling:resumeProcesses",
"autoscaling:SuspendProcesses",
],
resources: [`arn:aws:autoscaling:${Stack.of(scope).region}:${Stack.of(scope).account}:autoScalingGroup:*`],
})],
}),
cloudWatchPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources: [`arn:aws:logs:${Stack.of(scope).region}:${Stack.of(scope).account}:log-group:/aws/lambda/${lambdaName}:*`],
})],
}),
ssmPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"ssm:GetParameters",
"ssm:GetParameter",
],
resources: [`arn:aws:ssm:${Stack.of(scope).region}:${Stack.of(scope).account}:parameter${FRUGAL_SCHEDULE_SSM_PREFIX}/*`],
})],
}),
snsPolicy: new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
"sns:publish",
],
resources: [`arn:aws:sns:${Stack.of(scope).region}:${Stack.of(scope).account}:*`],
})],
}),
},
});
Role used for Blu_autoupdateAMI Lambda Function
- IAM Policy for
BluAutoupdateLT-BluAgeIAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeImages",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "eu-west-3"
}
},
},
{
"Action": [
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplateVersions",
"ec2:ModifyLaunchTemplate"
],
"Resource": "arn:aws:ec2:eu-west-3:381492295584:launch-template/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-3:381492295584:log-group:/aws/lambda/*",
"Effect": "Allow"
},
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:eu-west-3:381492295584:parameter/LT/BluAge_PLZ_Dev_Env_Recipe",
"Effect": "Allow"
}
]
}
- IAM Policy Trust relationships for
BluAutoupdateLT-BluAgeIAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- IAM Role Blu_autoupdateAMI CDK Code
const lambdaRole = new iam.Role(this, `lambdaRole-${LandingZoneInput.LAUNCH_TEMPLATE_NAME}`, {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
inlinePolicies: {
lambdaPolicy: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: [
'ec2:DescribeImages',
'ec2:DescribeLaunchTemplates',
'ec2:DescribeLaunchTemplateVersions'
],
resources: ['*'],
conditions: {
StringEquals: {
"ec2:Region": `${LandingZoneInput.region}`
}
}
}),
new iam.PolicyStatement({
actions: [
'ec2:ModifyLaunchTemplate',
'ec2:CreateLaunchTemplateVersion',
'ec2:DeleteLaunchTemplateVersions'
],
resources: [`arn:aws:ec2:${LandingZoneInput.region}:${cdk.Stack.of(this).account}:launch-template/*`]
}),
new iam.PolicyStatement({
actions: [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources: [`arn:aws:logs:${LandingZoneInput.region}:${cdk.Stack.of(this).account}:log-group:/aws/lambda/*`]
}),
new iam.PolicyStatement({
actions: [
'ssm:PutParameter',
'ssm:GetParameter',
'ssm:DescribeParameters'],
resources: [paramARN] :
}),
],
}),
},
});
Role used for Blu_Check_and_Modify_IMDS Lambda Function
- IAM Policy for BluLambda-ModifyIMDS-${region} IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "eu-west-3"
}
},
},
{
"Action": "ec2:ModifyInstanceMetadataOptions",
"Resource": "arn:aws:ec2:eu-west-3:381492295584:instance/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-3:381492295584:log-group:/aws/lambda/*",
"Effect": "Allow"
}
]
}
- IAM Role Trust relationships for BluLambda-ModifyIMDS-${region} IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- IAM Role BluLambda-ModifyIMDS-${region} CDK Code
//Create Lambda Role to Check and modify EC2 Metadata
const IMDSPolicy = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['ec2:DescribeInstances'],
effect: iam.Effect.ALLOW,
resources: ["*"],
conditions: {
StringEquals: {
"ec2:Region": `${LandingZoneInput.region}`
}
}
}),
new iam.PolicyStatement({
actions: ['ec2:ModifyInstanceMetadataOptions'],
effect: iam.Effect.ALLOW,
resources: [`arn:aws:ec2:${this.region}:${this.account}:instance/*`]
}),
new iam.PolicyStatement({
actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
effect: iam.Effect.ALLOW,
resources: [`arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/*`]
}),
],
});
const lambda_exec_role_imds = new iam.Role(this, 'blu_lambda_imds', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
inlinePolicies: {
blu_IMDSPolicy: IMDSPolicy,
},
roleName: `BluLambda-ModifyIMDS-${this.region}`
List of IAM Roles created by AWS Blu Age DevOps Pipeline CDKs scripts
iam-role--codebuild-app
- iam-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-codeartifact
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "codeartifact:GetAuthorizationToken",
"Resource": "arn:aws:codeartifact:<AWS_REGION>:<AWS_ACCOUNT_ID>:domain/<PROJECT_NAME>",
"Effect": "Allow"
},
{
"Action": [
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackages",
"codeartifact:ReadFromRepository"
],
"Resource": "arn:aws:codeartifact:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/<PROJECT_NAME>/codeartifact-app",
"Effect": "Allow"
},
{
"Action": [
"codeartifact:DeletePackage",
"codeartifact:ListPackageVersions",
"codeartifact:PublishPackageVersion",
"codeartifact:PutPackageMetadata"
],
"Resource": "arn:aws:codeartifact:<AWS_REGION>:<AWS_ACCOUNT_ID>:package/<PROJECT_NAME>/codeartifact-app/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
},
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecr:GetAuthorizationToken",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-tomcat",
"Effect": "Allow"
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-app-*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-app-pipelines-artifacts-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-<PROJECT_NAME>-velocity-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
},
{
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-app-pipelines-artifacts-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-<PROJECT_NAME>-velocity-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameters",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/jenkins/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/rts-manager/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/sonarqube/VARIABLES"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-policy2
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:subnet/<AWS_SUBNET_ID>"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
},
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:network-interface/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-app:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-app"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchPutCodeCoverages",
"codebuild:BatchPutTestCases",
"codebuild:CreateReport",
"codebuild:CreateReportGroup",
"codebuild:UpdateReport"
],
"Resource": "arn:aws:codebuild:<AWS_REGION>:<AWS_ACCOUNT_ID>:report-group/codebuild-app-*",
"Effect": "Allow"
}
]
}
iam-role--codebuild-app-check-deployment
- iam-policy-codebuild-app-check-deployment-cloudwatch
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-check-deployment-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListTasks"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-check-deployment-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameters",
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-check-deployment-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameters",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/jenkins/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/rts-manager/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/sonarqube/VARIABLES"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-app-check-deployment-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-app-check-deployment:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-app-check-deployment"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchPutCodeCoverages",
"codebuild:BatchPutTestCases",
"codebuild:CreateReport",
"codebuild:CreateReportGroup",
"codebuild:UpdateReport"
],
"Resource": "arn:aws:codebuild:<AWS_REGION>:<AWS_ACCOUNT_ID>:report-group/codebuild-app-check-deployment-*",
"Effect": "Allow"
}
]
}
iam-role--codebuild-docker-image-builder
- iam-policy-codebuild-docker-image-builder-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecr:GetAuthorizationToken",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-chrome-node",
"arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-postgres",
"arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-selenium-hub",
"arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-sonarqube",
"arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-tomcat"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-docker-image-builder-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-docker-image-builder-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameters",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/selenium/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/sonarqube/VARIABLES"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-docker-image-builder-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-docker-image-builder:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-docker-image-builder"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchPutCodeCoverages",
"codebuild:BatchPutTestCases",
"codebuild:CreateReport",
"codebuild:CreateReportGroup",
"codebuild:UpdateReport"
],
"Resource": "arn:aws:codebuild:<AWS_REGION>:<AWS_ACCOUNT_ID>:report-group/codebuild-docker-image-builder-*",
"Effect": "Allow"
}
]
}
iam-role--codebuild-jenkins
- iam-policy-codebuild-jenkins-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-codepipeline
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codepipeline:GetPipelineState",
"codepipeline:ListPipelineExecutions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecs:ListContainerInstances",
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-test-cases",
"Effect": "Allow"
},
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "autoscaling:UpdateAutoScalingGroup",
"Resource": "arn:aws:autoscaling:<AWS_REGION>:<AWS_ACCOUNT_ID>:autoScalingGroup:*:autoScalingGroupName/ec2-asg-app-test-cases",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/jenkins/VARIABLES"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-policy2
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:subnet/<SUBNET_ID>"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
},
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:network-interface/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-jenkins:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-jenkins"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchPutCodeCoverages",
"codebuild:BatchPutTestCases",
"codebuild:CreateReport",
"codebuild:CreateReportGroup",
"codebuild:UpdateReport"
],
"Resource": "arn:aws:codebuild:<AWS_REGION>:<AWS_ACCOUNT_ID>:report-group/codebuild-jenkins-*",
"Effect": "Allow"
}
]
}
iam-role--codebuild-jenkins-pre-build
- iam-policy-codebuild-jenkins-pre-build-acm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "acm:ExportCertificate",
"Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-pre-build-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-pre-build-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DescribeTaskDefinition",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/iam-role-<AWS_REGION>-ecs-task-execution",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/iam-role-<AWS_REGION>-ecs-task-jenkins-node"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-pre-build-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-pre-build-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameters",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/jenkins/VARIABLES"
],
"Effect": "Allow"
},
{
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/bluage/resource/certificate/arn",
"Effect": "Allow"
}
]
}
- iam-policy-codebuild-jenkins-pre-build-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-jenkins-pre-build:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/codebuild/codebuild-jenkins-pre-build"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchPutCodeCoverages",
"codebuild:BatchPutTestCases",
"codebuild:CreateReport",
"codebuild:CreateReportGroup",
"codebuild:UpdateReport"
],
"Resource": "arn:aws:codebuild:<AWS_REGION>:<AWS_ACCOUNT_ID>:report-group/codebuild-jenkins-pre-build-*",
"Effect": "Allow"
}
]
}
iam-role--codedeploy-dg-jenkins
- AWSCodeDeployRole
- iam-policy-codedeploy-dg-jenkins-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--codepipeline-app
- iam-policy-codepipeline-app-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintAppDepl-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintAppDepl-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintBuildco-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintSourceg-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintSourceg-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappintSourceg-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatAppDepl-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatAppDepl-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatBuildco-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatSourceg-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatSourceg-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/BuildingPipelineCodepipel-codepipelineappuatSourceg-<ID>"
],
"Effect": "Allow"
}
]
}
iam-role--codepipeline-docker-image-builder
- iam-policy-codepipeline-docker-image-builder-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/AccountInitializationCode-codepipelinedockerimagebu-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/AccountInitializationCode-codepipelinedockerimagebu-<ID>"
],
"Effect": "Allow"
}
]
}
iam-role--codepipeline-jenkins
- iam-policy-codepipeline-jenkins-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/TestingPipelineCodepipeli-codepipelinejenkinsBuildc-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/TestingPipelineCodepipeli-codepipelinejenkinsDeploy-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/TestingPipelineCodepipeli-codepipelinejenkinsPreBui-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/TestingPipelineCodepipeli-codepipelinejenkinsSource-<ID>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/TestingPipelineCodepipeli-codepipelinejenkinsSource-<ID>"
],
"Effect": "Allow"
}
]
}
iam-role--dlm-gitlab
- AWSDataLifecycleManagerServiceRole
iam-role--ec2-app
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-app-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": [
"arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-int",
"arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-uat"
],
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-int"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-uat"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ec2-chrome-node
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-chrome-node-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-chrome-nodes",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-chrome-nodes"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ec2-devops-linux
AmazonSSMManagedInstanceCore
iam-role--ec2-efs-test-cases
AmazonSSMManagedInstanceCore
iam-role--ec2-gitlab
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-gitlab-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-gitlab",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-gitlab"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ec2-jenkins
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-jenkins-codedeploy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codedeploy-commands-secure:GetDeploymentSpecification",
"codedeploy-commands-secure:PollHostCommand",
"codedeploy-commands-secure:PutHostCommandAcknowledgement",
"codedeploy-commands-secure:PutHostCommandComplete"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-ec2-jenkins-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-ec2-jenkins-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterTaskDefinition",
"ecs:DescribeContainerInstances",
"ecs:DescribeTaskDefinition",
"ecs:ListClusters",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"ecs:RegisterTaskDefinition",
"ecs:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task-definition/ecs-task-jenkins-node:*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:stopTask"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task/ecs-cluster-jenkins-nodes/*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeClusters",
"ecs:ListContainerInstances"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-jenkins-nodes",
"Effect": "Allow"
},
{
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems"
],
"Resource": "arn:aws:elasticfilesystem:<AWS_REGION>:<AWS_ACCOUNT_ID>:file-system/*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/iam-role-<AWS_REGION>-ecs-task-execution",
"Effect": "Allow"
}
]
}
- **iam-policy-ec2-jenkins-s3**
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-pipeline-archives-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-codedeploy-<AWS_REGION>/*",
"Effect": "Allow"
}
]
}
- iam-policy-ec2-jenkins-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameter",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/app/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/jenkins/VARIABLES"
],
"Effect": "Allow"
}
]
}
iam-role--ec2-jenkins-node
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-jenkins-node-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-jenkins-nodes",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-jenkins-nodes"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-ec2-jenkins-node-acm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "acm:ExportCertificate",
"Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
"Effect": "Allow"
}
]
}
iam-role--ec2-selenium
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-selenium-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-selenium",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-selenium"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ec2-sonarqube
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-sonarqube-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-sonarqube",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-sonarqube"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ec2-test-cases
- AmazonSSMManagedInstanceCore
- iam-policy-ec2-test-cases-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:RegisterContainerInstance",
"ecs:Submit*"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-test-cases",
"Effect": "Allow"
},
{
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/ecs-cluster-app-test-cases"
}
},
"Action": [
"ecs:Poll",
"ecs:StartTelemetrySession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecs:DiscoverPollEndpoint",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-ec2-test-cases-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-app-test-cases-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-app-test-cases-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
}
]
}
- iam-policy-ec2-test-cases-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/*",
"Effect": "Allow"
}
]
}
iam-role--ecs-task-app
- iam-policy-ecs-task-app-sqs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
iam-role--ecs-task-chrome-node
AWSOpsWorksCloudWatchLogs
iam-role--ecs-task-execution
- AWSOpsWorksCloudWatchLogs
- iam-policy-ecs-task-execution-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/gitlab:*",
"Effect": "Allow"
},
{
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:/gitlab/root-<ID>",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-execution-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:BatchImportUpstreamImage",
"ecr:CreateRepository",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-execution-policy2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/app-int:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/app-uat:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/sonarqube:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/sonarqube-postgres:*"
],
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-execution-policy3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/chrome-node:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/jenkins-node:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/ecs/selenium-hub:*"
],
"Effect": "Allow"
}
]
}
iam-role--ecs-task-gitlab
iam-role--ecs-task-jenkins-node
- AWSOpsWorksCloudWatchLogs
- iam-policy-ecs-task-jenkins-node-cognito
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cognito-idp:ListUserPools",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cognito-idp:ListUserPoolClients",
"Resource": "arn:aws:cognito-idp:<AWS_REGION>:<AWS_ACCOUNT_ID>:userpool/*",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-ecr
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecr:DescribeImages",
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/ecr-app-*",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeNetworkInterfaces",
"ecs:ListTasks"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task-definition/ecs-task-app-*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:StopTask"
],
"Resource": [
"arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task/ecs-cluster-app-*/*",
"arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task/ecs-cluster-app-test-cases/*"
],
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/iam-role-<AWS_REGION>-ecs-task-execution",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:<AWS_REGION>:<AWS_ACCOUNT_ID>:function:lambda-jenkins-job-finalizer",
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3-<AWS_REGION>-app-pipelines-artifacts-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-app-pipelines-artifacts-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-app-test-cases-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-app-test-cases-<AWS_ACCOUNT_ID>/*",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>",
"arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>/*"
],
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-secretsmanager
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:/gitlab/gitlabAgent*",
"arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:rts/user/devops-*"
],
"Effect": "Allow"
}
]
}
- iam-policy-ecs-task-jenkins-node-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetCommandInvocation",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/*",
"Effect": "Allow"
},
{
"Action": "ssm:SendCommand",
"Resource": [
"arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:instance/*",
"arn:aws:ssm:<AWS_REGION>::document/AWS-RunShellScript"
],
"Effect": "Allow"
},
{
"Action": "ssm:GetCommandInvocation",
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:*",
"Effect": "Allow"
}
]
}
iam-role--ecs-task-selenium
AWSOpsWorksCloudWatchLogs
iam-role--ecs-task-sonarqube
iam-role--events-schedule-codepipeline-jenkins
- iam-policy-events-schedule-codepipeline-jenkins-policy1
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:<AWS_REGION>:<AWS_ACCOUNT_ID>:codepipeline-jenkins",
"Effect": "Allow"
}
]
}
iam-role--lambda-gitlab-setup
- iam-policy-lambda-gitlab-setup-acm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "acm:ExportCertificate",
"Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-gitlab-setup-cloudwatch
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-gitlab-setup-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:DescribeNetworkInterfaces",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-gitlab-setup-s3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::s3-<AWS_REGION>-tools-<AWS_ACCOUNT_ID>/*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-gitlab-setup-secretsmanager
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:/gitlab/gitlabAgent*",
"arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:/gitlab/root*"
],
"Effect": "Allow"
}
]
}
- iam-policy-lambda-gitlab-setup-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/bluage/resource/certificate/arn",
"Effect": "Allow"
}
]
}
iam-role--lambda-jenkins-job-finalizer
- AWSOpsWorksCloudWatchLogs
- iam-policy-lambda-jenkins-job-finalizer-cognito
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cognito-idp:ListUserPools",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cognito-idp:ListUserPoolClients",
"Resource": "arn:aws:cognito-idp:<AWS_REGION>:<AWS_ACCOUNT_ID>:userpool/*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-jenkins-job-finalizer-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-jenkins-job-finalizer-ecs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DescribeTasks",
"ecs:StopTask"
],
"Resource": "arn:aws:ecs:<AWS_REGION>:<AWS_ACCOUNT_ID>:task/ecs-cluster-app-test-cases/*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-jenkins-job-finalizer-secretsmanager
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:<AWS_REGION>:<AWS_ACCOUNT_ID>:secret:rts/user/devops-*",
"Effect": "Allow"
}
]
}
iam-role--lambda-launch-template-updater
- AWSOpsWorksCloudWatchLogs
- iam-policy-lambda-launch-template-updater-ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeImages",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate"
],
"Resource": "arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:launch-template/*",
"Effect": "Allow"
}
]
}
iam-role--lambda-slack-notifications
- AWSOpsWorksCloudWatchLogs
- iam-policy-lambda-slack-notifications-codepipeline
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codepipeline:GetPipelineExecution",
"codepipeline:GetPipelineState"
],
"Resource": "arn:aws:codepipeline:<AWS_REGION>:<AWS_ACCOUNT_ID>:codepipeline-app-*",
"Effect": "Allow"
}
]
}
- iam-policy-lambda-slack-notifications-ssm
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:GetParameter",
"Resource": [
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/gitlab/VARIABLES",
"arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/lambda/slack-notifications/VARIABLES"
],
"Effect": "Allow"
}
]
}
AWS Blu Age SDE proposed Project Manager and Developer Roles
BluAge_Developer_IAM_Role
This document explains what behaviors BluAge_Developer_IAM_Role role is expected to have or to be rejected. Behaviors listed below may not list every action that Developer is able to perform. To get all the behaviors, please check the policy below.
Expected behaviors
- S3
- Can access test bucket and upload folder of customer bucket
- Cannot download objects outside of customer Account
- Can download gapwalk snapshot, dev and special versions
- CodeCommit
- No access to outside of customer account
- Can create pull request, merge code
- CodePipeline / CodeBuild / CodeDeploy
- Can start, stop pipelines
- Can start, stop, retry build
- RDS
- Can list DB instance / cluster
- Can create DB instance / cluster
- Can modify instance / cluster
- Can restore DB from snapshot / S3 / point in time
- Can delete instance
- EC2
- Can create instances from launch template and instance creation wizard
- Can create snapshot, volume
- Can start, stop and reboot instances
- Can modify launch template, volume
- Logs
- Can get log
- SSM
- Developers must use a specific SSM document which only authorizes Port-Forwarding connections in RDP on port 3389 and only on EC2 instances with a specific Tag : Role/Bluage
| Policy Name / Managed Policy | Description |
| developer_iam_policy_cloudwatch / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalAccount": "{Account-ID}" } }, "Action": [ "CloudWatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricStream", "cloudwatch:GetMetricWidgetImage" ], "Resource": "*", "Effect": "Allow" } ] } |
| developer_iam_policy_codeartifact / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:SourceVpc": "{VCP-ID}" } }, "Action": [ "codeartifact:AssociateExternalConnection", "codeartifact:AssociateWithDownstreamRepository", "codeartifact:DescribeDomain", "codeartifact:DescribePackage", "codeartifact:DescribePackageVersion", "codeartifact:DescribeRepository", "codeartifact:GetAuthorizationToken", "codeartifact:GetDomainPermissionsPolicy", "codeartifact:GetPackageVersionReadme", "codeartifact:GetRepositoryEndpoint", "codeartifact:GetRepositoryPermissionsPolicy", "codeartifact:ListDomains", "codeartifact:ListPackageVersionAssets", "codeartifact:ListPackageVersionDependencies", "codeartifact:ListPackageVersions", "codeartifact:ListPackages", "codeartifact:ListRepositories", "codeartifact:ReadFromRepository", "codeartifact:UpdatePackageVersionsStatus", "codeartifact:UpdateRepository" ], "Resource": "", "Effect": "Allow" }, { "Condition": { "StringEquals": { "sts:AWSServiceName": "codeartifact.amazonaws.com" } }, "Action": "sts:GetServiceBearerToken", "Resource": "", "Effect": "Allow" } ] } |
| developer_iam_policy_codebuild / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "codebuild:BatchDeleteBuilds", "codebuild:BatchGet", "codebuild:Describe", "codebuild:Get", "codebuild:List", "codebuild:RetryBuild", "codebuild:StartBuild", "codebuild:StopBuild" ], "Resource": "arn:aws:codebuild:{REGION}:{Account-ID}:", "Effect": "Allow" } ] } |
| developer_iam_policy_codecommit / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:SourceVpc": "{VCP-ID}" } }, "Action": [ "codecommit:BatchDescribeMergeConflicts", "codecommit:BatchGetCommits", "codecommit:BatchGetRepositories", "codecommit:CancelUploadArchive", "codecommit:CreateBranch", "codecommit:CreateCommit", "codecommit:CreatePullRequestApprovalRule", "codecommit:CreateRepository", "codecommit:DeleteFile", "codecommit:Git", "codecommit:PutFile", "codecommit:PutRepositoryTriggers", "codecommit:TagResource", "codecommit:TestRepositoryTriggers", "codecommit:UntagResource", "codecommit:UpdatePullRequestStatus", "codecommit:UpdateRepositoryDescription", "codecommit:UploadArchive" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "codecommit:BatchDescribeMergeConflicts", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DeleteCommentContent", "codecommit:Describe", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get", "codecommit:List", "codecommit:Merge", "codecommit:PostComment", "codecommit:PutCommentReaction", "codecommit:UpdateComment", "codecommit:UpdatePullRequestApprovalState", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestTitle" ], "Resource": "", "Effect": "Allow" } ] } |
| developer_iam_policy_codedeploy / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "codedeploy:BatchGet", "codedeploy:ContinueDeployment", "codedeploy:Get", "codedeploy:List", "codedeploy:StopDeployment", "codedeploy:TagResource", "codedeploy:UntagResource" ], "Resource": "arn:aws:codedeploy:{REGION}:{Account-ID}:", "Effect": "Allow" } ] } |
| developer_iam_policy_codepipeline / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "codepipeline:AcknowledgeJob", "codepipeline:DisableStageTransition", "codepipeline:EnableStageTransition", "codepipeline:GetPipeline", "codepipeline:GetPipelineExecution", "codepipeline:GetPipelineState", "codepipeline:ListActionExecutions", "codepipeline:ListPipelineExecutions", "codepipeline:ListPipelines", "codepipeline:RetryStageExecution", "codepipeline:StartPipelineExecution", "codepipeline:StopPipelineExecution", "codepipeline:TagResource" ], "Resource": "arn:aws:codepipeline:{REGION}:{Account-ID}:*", "Effect": "Allow" } ] } |
| developer_iam_policy_ec2 / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:Describe", "ec2:Get", "ec2:List", "ec2:ModifyLaunchTemplate", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:MonitorInstances", "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "", "Effect": "Allow" }, { "Condition": { "ArnEquals": { "ec2:Vpc": "arn:aws:ec2:{REGION}:{Account-ID}:vpc/{VCP-ID}" } }, "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:{REGION}:{Account-ID}:subnet/{private_0_subnet_id}", "arn:aws:ec2:{REGION}:{Account-ID}:subnet/{private_1_subnet_id}" ], "Effect": "Allow" } ] } |
| developer_iam_policy_iam / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalAccount": "{Account-ID}" } }, "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles", "sts:DecodeAuthorizationMessage" ], "Resource": "", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "{Account-ID}" } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::{Account-ID}:role/BluDevEC2Template-devec2role", "arn:aws:iam::{Account-ID}:role/iam-role*" ], "Effect": "Allow" } ] } |
| developer_iam_policy_kms / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:Decrypt", "kms:ListAliases" ], "Resource": "arn:aws:kms:{REGION}:{Account-ID}:key/*", "Effect": "Allow" } ] } |
| developer_iam_policy_log / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": "arn:aws:logs:{REGION}:{Account-ID}:log-group:*", "Effect": "Allow" } ] } |
| developer_iam_policy_m2 / no | { "Version": "2012-10-17", "Statement": [ { "Action": "m2:Get", "Resource": "arn:aws:m2:{REGION}:{Account-ID}:", "Effect": "Allow" } ] } |
| developer_iam_policy_rds / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalAccount": "{Account-ID}" } }, "Action": [ "rds:CreateDBCluster", "rds:CreateDBInstance", "rds:CreateDBParameterGroup", "rds:CreateDBSnapshot", "rds:DeleteDBInstance", "rds:Describe", "rds:List", "rds:ModifyDBCluster", "rds:ModifyDBClusterEndpoint", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:RestoreDBClusterFromS3", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime", "rds:RestoreDBInstanceFromDBSnapshot", "rds:RestoreDBInstanceFromS3", "rds:RestoreDBInstanceToPointInTime", "rds:StartDB", "rds:StopDB" ], "Resource": "*", "Effect": "Allow" }, { "Action": "iam:PassRole", "Resource": "arn:aws:iam::{Account-ID}:role/rds-monitoring-role", "Effect": "Allow" } ] } |
| developer_iam_policy_s3 / no | { "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:SourceVpc": "{VCP-ID}" } }, "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectVersion", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::s3-eu-west-3--pipelines-artifacts-{Account-ID}", "arn:aws:s3:::s3-eu-west-3--pipelines-artifacts-{Account-ID}/", "arn:aws:s3:::s3-eu-west-3--test-cases-{Account-ID}", "arn:aws:s3:::s3-eu-west-3--test-cases-{Account-ID}/", "arn:aws:s3:::s3-eu-west-3--velocity-{Account-ID}", "arn:aws:s3:::s3-eu-west-3--velocity-{Account-ID}/", "arn:aws:s3:::s3-eu-west-3-pipeline-archives-{Account-ID}", "arn:aws:s3:::s3-eu-west-3-pipeline-archives-{Account-ID}/", "arn:aws:s3:::bluage-customer-bucket-{Account-ID}-eu-west-3/", "arn:aws:s3:::bluage-customer-bucket-{Account-ID}-eu-west-3", "arn:aws:s3:::bluage-testbucket-{Account-ID}-eu-west-3/", "arn:aws:s3:::bluage-testbucket-{Account-ID}-eu-west-3" ], "Effect": "Allow" }, { "Action": [ "s3:GetBucket", "s3:GetObject", "s3:List" ], "Resource": [ "arn:aws:s3:::aws-bluage-runtime-artifacts-", "arn:aws:s3:::aws-bluage-runtime-artifacts-/", "arn:aws:s3:::aws-bluage-runtime-artifacts-dev-", "arn:aws:s3:::aws-bluage-runtime-artifacts-dev-/", "arn:aws:s3:::aws-bluage-runtime-fargate", "arn:aws:s3:::aws-bluage-runtime-fargate/", "arn:aws:s3:::toolbox-compare-tool", "arn:aws:s3:::toolbox-compare-tool/", "arn:aws:s3:::toolbox-data-migrator", "arn:aws:s3:::toolbox-data-migrator/", "arn:aws:s3:::toolbox-dev-runtime", "arn:aws:s3:::toolbox-dev-runtime/", "arn:aws:s3:::toolbox-refactoring-tool", "arn:aws:s3:::toolbox-refactoring-tool/", "arn:aws:s3:::toolbox-snapshot-runtime", "arn:aws:s3:::toolbox-snapshot-runtime/", "arn:aws:s3:::toolbox-special-runtime", "arn:aws:s3:::toolbox-special-runtime/" ], "Effect": "Allow" }, { "Action": "s3:List", "Resource": "", "Effect": "Allow" } ] } |
| developer_iam_policy_ssm / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeInstances", "ssm:DescribeInstanceInformation", "ssm:DescribeInstanceProperties", "ssm:DescribeParameters", "ssm:DescribeSessions", "ssm:GetConnectionStatus" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "ssm:GetConnectionStatus", "ssm:StartSession" ], "Resource": "arn:aws:ssm:{REGION}:{Account-ID}:instance/", "Effect": "Allow", "Condition": { "StringLike": { "ssm:resourceTag/Role": [ "bluage" ] } } }, { "Action": [ "ssm:ResumeSession", "ssm:TerminateSession" ], "Resource": [ "arn:aws:ssm:{REGION}:{Account-ID}:session/${aws:userid}-", "arn:aws:ssm:{REGION}:{Account-ID}:session/${aws:username}-" ], "Effect": "Allow" }, { "Action": [ "ssm:GetDocument", "ssm:StartSession" ], "Resource": "arn:aws:ssm:eu-west-3::document/AWSBluageEC2PortForwarding", "Effect": "Allow" } ] } |
BluAge_Project_Manager_IAM_Role
This document explains what behaviors BluAge_Project_Manager IAM role is expected to have or to be rejected. Behaviors listed below may not list every action that Project Manager is able to perform. To get all the behaviors, please check the policy below.
Expected behaviors:
- CloudFormation
- No access
- Organizations
- No access
- Network firewall
- Can list, but cannot update
- S3
- No access to cf-templates, cdk--assets., ba-firewall-log, bluage-access-log-bucket, ba-poc-flowlogs-
- Cannot download objects outside of customer Account
- Can download gapwalk snapshot, dev and special versions
- CodeCommit
- No access to outside of Customer Account
- IAM to prevent Privilege escalation
- Cannot update / delete user, group, role or policy
- Cannot attach policy to user, group or role
| Policy Name / Managed Policy | Description |
|---|---|
| pm_policy_base / no | { "Version": "2012-10-17", "Statement": [ { "Action": [ "organizations:", "cloudformation:" ], "Resource": "", "Effect": "Deny" }, { "Condition": { "StringEquals": { "aws:SourceVpc": "" } }, "Action": "s3:", "Effect": "Allow", "NotResource": [ "arn:aws:s3:::do-not-delete-gatedgarden-audit", "arn:aws:s3:::cf-templates", "arn:aws:s3:::cdk--assets", "arn:aws:s3:::ba-firewall-log", "arn:aws:s3:::bluage-access-log-bucket", "arn:aws:s3:::ba-poc-flowlogs-" ] }, { "Condition": { "StringEquals": { "aws:SourceVpc": "" } }, "Action": [ "codeartifact:", "codebuild:", "codecommit:", "codedeploy:", "codepipeline:" ], "Resource": [ "arn:aws:codeartifact:::/", "arn:aws:codebuild:::/", "arn:aws:codecommit:::/", "arn:aws:codedeploy:::/", "arn:aws:codepipeline:::/" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "" } }, "Action": "Lambda:", "Resource": "arn:aws:lambda::::", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "", "aws:RequestedRegion": "" } }, "Action": [ "rds:", "ssm:", "ec2:", "ecr:", "ecs:", "elasticloadbalancing:", "route53:", "sns:", "events:", "autoscaling:" ], "Resource": "", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "" } }, "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles", "sts:DecodeAuthorizationMessage" ], "Resource": "", "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "" } }, "Action": [ "CloudWatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricStream", "cloudwatch:GetMetricWidgetImage" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": "arn:aws:logs:::log-group:", "Effect": "Allow" }, { "Action": "kms:", "Resource": "arn:aws:kms:::key/", "Effect": "Allow" }, { "Action": "m2:Get", "Resource": "arn:aws:m2:::", "Effect": "Allow" }, { "Action": [ "iam:AttachRolePolicy", "iam:PassRole" ], "Resource": [ "arn:aws:iam:::role/BluDevEC2Template-devec2role", "arn:aws:iam:::role/BuildingPipelineCodepipel-codepipeline", "arn:aws:iam:::role/rds-monitoring-role", "arn:aws:iam:::role/service-role/cwe-role-" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalAccount": "", "aws:RequestedRegion": "" } }, "Action": [ "acm-pca:ListCertificateAuthorities", "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:IssueCertificate", "acm-pca:RevokeCertificate", "acm-pca:UpdateCertificateAuthority", "acm-pca:PutPolicy", "acm-pca:DeletePolicy", "acm:ListCertificates", "acm:DescribeCertificate", "acm:ExportCertificate", "acm:GetCertificate", "acm:RenewCertificate", "acm:RequestCertificate" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "network-firewall:ListRuleGroups", "network-firewall:CreateRuleGroup", "network-firewall:DescribeFirewall", "network-firewall:DescribeRuleGroup", "network-firewall:UpdateRuleGroup", "network-firewall:DescribeFirewallPolicy", "network-firewall:UpdateFirewallPolicy", "network-firewall:UpdateFirewallPolicyChangeProtection" ], "Resource": [ "arn:aws:network-firewall:::firewall-policy/BluVpcFirewallPolicy", "arn:aws:network-firewall:::stateful-rulegroup/BluSupportServicesRuleGroup", "arn:aws:network-firewall:::stateful-rulegroup/BluWindowsUpdateRuleGroup", "arn:aws:network-firewall:::stateful-rulegroup/AWSDNS", "arn:aws:network-firewall:::stateful-rulegroup/VSCode", "arn:aws:network-firewall:::firewall/BluVpcFirewall" ] }, { "Effect": "Allow", "Action": [ "cognito-idp:AdminCreateUser", "cognito-idp:AdminSetUserPassword", "cognito-idp:AdminConfirmSignUp", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient" ], "Resource": [ "arn:aws:cognito-idp:::userpool/rts-user-pool" ] } ] } |