A few years ago, I wanted to build a sandbox environment for Devs (non-admins) in AWS and this would have come in handy. We’ve been using this for several months now and it is very useful in keeping the environment stable.
{
“Version”: “2012-10-17",
“Statement”: [
{
“Sid”: “GaveFullAccessToEverythingExceptIAM”,
“Effect”: “Allow”,
“NotAction”: “iam:*“,
“Resource”: “*”
},
{
“Sid”: “AllowedSomeIamAccessToBuildRDSClusters”,
“Effect”: “Allow”,
“Action”: [
“iam:Generate*“,
“iam:Get*“,
“iam:List*“,
“iam:Simulate*“,
“iam:AddRoleToInstanceProfile”,
“iam:AttachRolePolicy”,
“iam:CreateInstanceProfile”,
“iam:CreateRole”,
“iam:PassRole”,
“iam:DeleteRole”,
“iam:DetachRolePolicy”
],
“Resource”: “*”
},
{
“Sid”: “AllowedIAMAccessToTheirOwnProfile”,
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*“,
“iam:*SSHPublicKey*”
],
“Resource”: “arn:aws:iam::111122223333:user/${aws:username}”
},
{
“Sid”: “DeniedAccessToS3PermissionsExceptForApprovedBucketsInNotResource”,
“Effect”: “Deny”,
“Action”: [
“s3:DeleteBucketPolicy”,
“s3:PutBucketPolicy”,
“s3:PutBucketAcl”,
“s3:PutObjectAcl”
],
“NotResource”: [
“arn:aws:s3:::vsbucket”,
“arn:aws:s3:::data_sandbox”,
“arn:aws:s3:::mm46-sandbox”,
“arn:aws:s3:::detail-sandbox”,
“arn:aws:s3:::temp”
]
},
{
“Sid”: “DeniedAnyEc2vpcNetworkrelatedAddModify”,
“Effect”: “Deny”,
“Action”: [
“ec2:CreateCustomerGateway”,
“ec2:CreateDhcpOptions”,
“ec2:CreateFlowLogs”,
“ec2:CreateInternetGateway”,
“ec2:CreateNatGateway”,
“ec2:CreateNetworkAcl”,
“ec2:CreateRoute”,
“ec2:CreateRouteTable”,
“ec2:CreateSubnet”,
“ec2:CreateVpc”,
“ec2:CreateVpcEndpoint”,
“ec2:CreateVpcPeeringConnection”,
“ec2:CreateVpnConnection”,
“ec2:CreateVpnConnectionRoute”,
“ec2:CreateVpnGateway”,
“ec2:DeleteCustomerGateway”,
“ec2:DeleteDhcpOptions”,
“ec2:DeleteFlowLogs”,
“ec2:DeleteInternetGateway”,
“ec2:DeleteNatGateway”,
“ec2:DeleteNetworkAcl”,
“ec2:DeleteRoute”,
“ec2:DeleteRouteTable”,
“ec2:DeleteSubnet”,
“ec2:DeleteVpc”,
“ec2:DeleteVpcEndpoints”,
“ec2:DeleteVpcPeeringConnection”,
“ec2:DeleteVpnConnection”,
“ec2:DeleteVpnConnectionRoute”,
“ec2:DeleteVpnGateway”,
“ec2:ModifyVpcAttribute”,
“ec2:ModifyVpcEndpoint”,
“ec2:ModifyVpcPeeringConnectionOptions”,
“ec2:ReplaceRoute”,
“ec2:ReplaceRouteTableAssociation”
],
“Resource”: [
“*”
]
},
{
“Sid”: “DeniedAccessToPublicfacingSubnetsForEC2",
“Effect”: “Deny”,
“Action”: [
“ec2:RunInstances”
],
“Resource”: [
“arn:aws:ec2:us-east-1:111122223333:subnet/subnet-d4567881", “arn:aws:ec2:us-east-1:111122223333:subnet/subnet-6f445619”, “arn:aws:ec2:us-east-1:111122223333:subnet/subnet-a794568d” ] }, { “Sid”: “DeniedAccessToEC2InstanceTypesOutsideOfT2family”, “Effect”: “Deny”, “Action”: “ec2:RunInstances”, “Resource”: [ “arn:aws:ec2:us-east-1:111122223333:instance/*” ], “Condition”: { “StringNotEquals”: { “ec2:InstanceType”: [ “t2.micro”, “t2.small”, “t2.nano”, “t2.large” ] } } }, { “Sid”: “DeniedAccessToEC2AMIsOutsideOfApprovedAMIs”, “Effect”: “Deny”, “Action”: “ec2:RunInstances”, “NotResource”: [ “arn:aws:ec2:us-east-1::image/ami-af3e4565”, “arn:aws:ec2:us-east-1::image/ami-b2be4568",
“arn:aws:ec2:us-east-1::image/ami-5456789f”,
“arn:aws:ec2:us-east-1:111122223333:subnet/*“,
“arn:aws:ec2:us-east-1:111122223333:instance/*“,
“arn:aws:ec2:us-east-1:111122223333:key-pair/*“,
“arn:aws:ec2:us-east-1:111122223333:network-interface/*“,
“arn:aws:ec2:us-east-1:111122223333:volume/*“,
“arn:aws:ec2:us-east-1:111122223333:security-group/*”
]
},
{
“Sid”: “DeniedAccessOfMajorServicesToRegionsOtherThanUseast1”,
“Effect”: “Deny”,
“Action”: [
“dynamodb:Create*“,
“ecs:Create*“,
“elasticbeanstalk:Create*“,
“kinesis:Create*“,
“rds:Create*“,
“redshift:Create*”
],
“NotResource”: [
“arn:aws:dynamodb:us-east-1:*:*“,
“arn:aws:ecs:us-east-1:*:*“,
“arn:aws:elasticbeanstalk:us-east-1:*:*“,
“arn:aws:kinesis:us-east-1:*:*“,
“arn:aws:rds:us-east-1:*:*“,
“arn:aws:redshift:us-east-1:*:*”
]
},
{
“Sid”: “DeniedAccessToPublicfacingSubnetsForRDS”,
“Effect”: “Deny”,
“Action”: [
“rds:Create*”
],
“Resource”: [
“arn:aws:rds:us-east-1:111122223333:subnet/subnet-d4567881”,
“arn:aws:rds:us-east-1:111122223333:subnet/subnet-64567819",
“arn:aws:rds:us-east-1:111122223333:subnet/subnet-a456788d”
]
}
]
}