In this article, I have given a code which can be used as reference while writing a program for IAM Policy to allow and deny AWS services for Devops use.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3FullAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "s3DeleteBucket",
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
},
{
"Sid": "efsfullaccess",
"Effect": "Allow",
"Action": "elasticfilesystem:*",
"Resource": "*"
},
{
"Sid": "StorageGatewayFullAccess",
"Effect": "Allow",
"Action": "storagegateway:*",
"Resource": "*"
},
{
"Sid": "BackupFullAccess",
"Effect": "Allow",
"Action": "backup:*",
"Resource": "*"
},
{
"Sid": "RDSFullAccess",
"Effect": "Allow",
"Action": "rds:*",
"Resource": "*"
},
{
"Sid": "RDSDeny",
"Effect": "Deny",
"Action": [
"rds:DeleteGlobalCluster",
"rds:DeleteDBSnapshot",
"rds:DeleteDBInstanceAutomatedBackup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteOptionGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteEventSubscription",
"rds:DeleteDBSecurityGroup",
"rds:DeleteDBClusterEndpoint",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance"
],
"Resource": "*"
},
{
"Sid": "ServerMigrationFullAccess",
"Effect": "Allow",
"Action": "sms:*",
"Resource": "*"
},
{
"Sid": "Route53FullAccess",
"Effect": "Allow",
"Action": "route53:*",
"Resource": "*"
},
{
"Sid": "DirectConnectFullAccess",
"Effect": "Allow",
"Action": "directconnect:*",
"Resource": "*"
},
{
"Sid": "CloudWatchFullAccess",
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Sid": "CloudTrainFullAccess",
"Effect": "Allow",
"Action": "cloudtrail:*",
"Resource": "*"
},
{
"Sid": "SystemManagerFullAccess",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "*"
},
{
"Sid": "SNSFullAccess",
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
},
{
"Sid": "SQSFullAccess",
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Sid": "SWSFullAccess",
"Effect": "Allow",
"Action": "swf:*",
"Resource": "*"
},
{
"Sid": "IAMLimitedAccess",
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*"
},
{
"Sid": "IAMDeny",
"Effect": "Deny",
"Action": [
"iam:DeleteInstanceProfile",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:DeleteRole",
"iam:DeleteSSHPublicKey",
"iam:DeleteUser",
"iam:DeleteAccountAlias",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteLoginProfile"
],
"Resource": "*"
},
{
"Sid": "ec2FullAccess",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "Ec2VPCDeny",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances",
"ec2:CreateInternetGateway",
"ec2:DeleteVpc"
],
"Resource": "*"
},
{
"Sid": "SAPStopInstanceDeny",
"Effect": "Deny",
"Action": "ec2:StopInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:TagKeys": "SAP"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3FullAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "s3DeleteBucket",
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
},
{
"Sid": "efsfullaccess",
"Effect": "Allow",
"Action": "elasticfilesystem:*",
"Resource": "*"
},
{
"Sid": "StorageGatewayFullAccess",
"Effect": "Allow",
"Action": "storagegateway:*",
"Resource": "*"
},
{
"Sid": "BackupFullAccess",
"Effect": "Allow",
"Action": "backup:*",
"Resource": "*"
},
{
"Sid": "RDSFullAccess",
"Effect": "Allow",
"Action": "rds:*",
"Resource": "*"
},
{
"Sid": "RDSDeny",
"Effect": "Deny",
"Action": [
"rds:DeleteGlobalCluster",
"rds:DeleteDBSnapshot",
"rds:DeleteDBInstanceAutomatedBackup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteOptionGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteEventSubscription",
"rds:DeleteDBSecurityGroup",
"rds:DeleteDBClusterEndpoint",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance"
],
"Resource": "*"
},
{
"Sid": "ServerMigrationFullAccess",
"Effect": "Allow",
"Action": "sms:*",
"Resource": "*"
},
{
"Sid": "Route53FullAccess",
"Effect": "Allow",
"Action": "route53:*",
"Resource": "*"
},
{
"Sid": "DirectConnectFullAccess",
"Effect": "Allow",
"Action": "directconnect:*",
"Resource": "*"
},
{
"Sid": "CloudWatchFullAccess",
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Sid": "CloudTrainFullAccess",
"Effect": "Allow",
"Action": "cloudtrail:*",
"Resource": "*"
},
{
"Sid": "SystemManagerFullAccess",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "*"
},
{
"Sid": "SNSFullAccess",
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
},
{
"Sid": "SQSFullAccess",
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Sid": "SWSFullAccess",
"Effect": "Allow",
"Action": "swf:*",
"Resource": "*"
},
{
"Sid": "IAMLimitedAccess",
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*"
},
{
"Sid": "IAMDeny",
"Effect": "Deny",
"Action": [
"iam:DeleteInstanceProfile",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:DeleteRole",
"iam:DeleteSSHPublicKey",
"iam:DeleteUser",
"iam:DeleteAccountAlias",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteLoginProfile"
],
"Resource": "*"
},
{
"Sid": "ec2FullAccess",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "Ec2VPCDeny",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances",
"ec2:CreateInternetGateway",
"ec2:DeleteVpc"
],
"Resource": "*"
},
{
"Sid": "SAPStopInstanceDeny",
"Effect": "Deny",
"Action": "ec2:StopInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:TagKeys": "SAP"
}
}
}
]
}“If you are passionate about technology and like to share your knowledge or the latest on technology, mail us on info@saniconservices.com and get featured on our blog page”
I hope you find this program useful to create IAM Policy to allow and deny AWS services for devops use. Feel free to ask your valuable questions in the comments section below.
About SANICON IT SERVICES PVT. LTD.: Over the years SANICON – A One-Stop Cloud Solution Company have provided the most credible cutting-edge IT technology & services across various domains which helped customers around the world to start and grow their businesses and their digital transformation to cloud.
Reach out to us today at sales@saniconservices.com to get a reliable and affordable cloud managed service and IT technology partner
Visit website www.saniconservices.com to learn more about all great products and services offered.
Leave a Reply