{"id":68,"date":"2017-05-05T04:20:28","date_gmt":"2017-05-05T04:20:28","guid":{"rendered":"http:\/\/cloudygeek.com\/?p=68"},"modified":"2018-03-10T03:51:51","modified_gmt":"2018-03-10T03:51:51","slug":"awsiamforsandbox","status":"publish","type":"post","link":"https:\/\/cloudygeek.com\/?p=68","title":{"rendered":"AWS IAM Policy for a Sandbox Environment"},"content":{"rendered":"<p>A few years ago, I wanted to build a sandbox environment for Devs (non-admins) in AWS and this would have come in handy. We&#8217;ve been using this for several months now and it is very useful in keeping the environment stable.<\/p>\n<p><!--more--><\/p>\n<blockquote>\n<pre spellcheck=\"false\">{\r\n\u00a0 \u00a0 \u201cVersion\u201d: \u201c<span class=\"hljs-number\">2012<\/span>-<span class=\"hljs-number\">10<\/span>-<span class=\"hljs-number\">17<\/span><span class=\"hljs-string\">\",\r\n\u00a0 \u00a0 \u201cStatement\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cGaveFullAccessToEverythingExceptIAM\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cAllow\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cNotAction\u201d: \u201ciam:*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: \u201c*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cAllowedSomeIamAccessToBuildRDSClusters\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cAllow\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:Generate*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:Get*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:List*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:Simulate*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:AddRoleToInstanceProfile\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:AttachRolePolicy\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:CreateInstanceProfile\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:CreateRole\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:PassRole\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:DeleteRole\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:DetachRolePolicy\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: \u201c*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cAllowedIAMAccessToTheirOwnProfile\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cAllow\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:*LoginProfile\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:*AccessKey*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ciam:*SSHPublicKey*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: \u201carn:aws:iam::111122223333:user\/${aws:username}\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessToS3PermissionsExceptForApprovedBucketsInNotResource\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cs3:DeleteBucketPolicy\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cs3:PutBucketPolicy\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cs3:PutBucketAcl\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cs3:PutObjectAcl\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cNotResource\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:s3:::vsbucket\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:s3:::data_sandbox\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:s3:::mm46-sandbox\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:s3:::detail-sandbox\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:s3:::temp\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAnyEc2vpcNetworkrelatedAddModify\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateCustomerGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateDhcpOptions\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateFlowLogs\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateInternetGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateNatGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateNetworkAcl\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateRoute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateRouteTable\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateSubnet\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpc\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpcEndpoint\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpcPeeringConnection\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpnConnection\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpnConnectionRoute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:CreateVpnGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteCustomerGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteDhcpOptions\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteFlowLogs\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteInternetGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteNatGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteNetworkAcl\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteRoute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteRouteTable\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteSubnet\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpc\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpcEndpoints\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpcPeeringConnection\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpnConnection\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpnConnectionRoute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:DeleteVpnGateway\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:ModifyVpcAttribute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:ModifyVpcEndpoint\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:ModifyVpcPeeringConnectionOptions\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:ReplaceRoute\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:ReplaceRouteTableAssociation\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessToPublicfacingSubnetsForEC2\"<\/span>,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">ec2:<\/span>RunInstances\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:subnet\/subnet-d4567881<span class=\"hljs-string\">\", \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:ec2:us-east-1:111122223333:subnet\/subnet-6f445619\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:ec2:us-east-1:111122223333:subnet\/subnet-a794568d\u201d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ] \u00a0 \u00a0 \u00a0 \u00a0 }, \u00a0 \u00a0 \u00a0 \u00a0 { \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessToEC2InstanceTypesOutsideOfT2family\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: \u201cec2:RunInstances\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: [ \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:ec2:us-east-1:111122223333:instance\/*\u201d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ], \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cCondition\u201d: { \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cStringNotEquals\u201d: { \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cec2:InstanceType\u201d: [ \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ct2.micro\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ct2.small\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ct2.nano\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201ct2.large\u201d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ] \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 } \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 } \u00a0 \u00a0 \u00a0 \u00a0 }, \u00a0 \u00a0 \u00a0 \u00a0 { \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessToEC2AMIsOutsideOfApprovedAMIs\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: \u201cec2:RunInstances\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cNotResource\u201d: [ \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:ec2:us-east-1::image\/ami-af3e4565\u201d, \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:ec2:us-east-1::image\/ami-b2be4568\"<\/span><\/span>,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">::image\/ami-<\/span><span class=\"hljs-number\">5456789<\/span>f\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:subnet\/*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:instance\/*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:key-pair\/*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:network-interface\/*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:volume\/*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ec2:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:security-group\/*<\/span>\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessOfMajorServicesToRegionsOtherThanUseast1\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">dynamodb:<\/span>Create*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">ecs:<\/span>Create*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">elasticbeanstalk:<\/span>Create*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">kinesis:<\/span>Create*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">rds:<\/span>Create*\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">redshift:<\/span>Create*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cNotResource\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:dynamodb:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:ecs:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:elasticbeanstalk:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:kinesis:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:rds:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201c,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:redshift:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:*:*<\/span>\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cSid\u201d: \u201cDeniedAccessToPublicfacingSubnetsForRDS\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cEffect\u201d: \u201cDeny\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cAction\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">rds:<\/span>Create*\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201cResource\u201d: [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:rds:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:subnet\/subnet-d4567881<\/span>\u201d,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<span class=\"hljs-symbol\">arn:aws:rds:<\/span>us-east-<span class=\"hljs-number\">1<\/span><span class=\"hljs-symbol\">:<\/span><span class=\"hljs-number\">111122223333<\/span><span class=\"hljs-symbol\">:subnet\/subnet-<\/span><span class=\"hljs-number\">64567819<\/span><span class=\"hljs-string\">\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201carn:aws:rds:us-east-1:111122223333:subnet\/subnet-a456788d\u201d\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 ]\r\n}<\/span><\/pre>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>A few years ago, I wanted to build a sandbox environment for Devs (non-admins) in AWS and this would have come in handy. We&#8217;ve been using this for several months now and it is very useful in keeping the environment stable.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/posts\/68"}],"collection":[{"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=68"}],"version-history":[{"count":2,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":84,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=\/wp\/v2\/posts\/68\/revisions\/84"}],"wp:attachment":[{"href":"https:\/\/cloudygeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudygeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}