Last active
April 18, 2024 22:38
-
-
Save deskoh/fe772ff16e4d3b433953e4235330ad7d to your computer and use it in GitHub Desktop.
AWS Resource-based policies example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/my-user1", | |
"arn:aws:iam::123456789012:user/my-user2" | |
] | |
}, | |
"Action": "execute-api:Invoke", | |
"Resource": "arn:aws:execute-api:ap-southeast-1:123456789012:xxxxxxxxxx/*/*/*", | |
"Condition": { | |
"NotIpAddress": { | |
"aws:SourceIp": "123.123.123.123/32" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Principal": "*", | |
"Action": "execute-api:Invoke", | |
"Resource": "arn:aws:execute-api:ap-southeast-1:123456789012:xxxxxxxxxx/*/*/*" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
// Reference: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ | |
// aws iam get-role --role-name MyRoleName --query "Role.RoleId" | |
// aws iam get-user --user-name MyUser --query "User.UserId" | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Deny non-whitelisted users by userId", | |
"Effect": "Deny", | |
"Principal": "*", | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"StringNotLike": { | |
"aws:userId": [ | |
"AROAxxxxxxxxxxxxxxxxx:*", | |
"AIDAxxxxxxxxxxxxxxxxx" | |
] | |
} | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Allow bucket admins", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin1", | |
"arn:aws:iam::123456789012:user/bucket-admin2" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Allow readonly user from IP address", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myreadonlyuser" | |
}, | |
"Action": [ | |
"s3:Get*", | |
"s3:ListBucket" | |
], | |
"Resource": [ | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"IpAddress": { | |
"aws:SourceIp": "0.0.0.0/0" | |
} | |
} | |
}, | |
{ | |
"Sid": "Allow users to upload", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuploader" | |
}, | |
"Action": "s3:PutObject", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Deny non-whitelisted users", | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin1", | |
"arn:aws:iam::123456789012:user/bucket-admin2" | |
"arn:aws:iam::123456789012:user/myreadonlyuser" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Allow whitelisted users", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/bucket-admin" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Allow user from IP address", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuser" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"IpAddress": { | |
"aws:SourceIp": [ | |
"111.111.111.111/32", | |
"222.222.222.222/32" | |
] | |
} | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Deny user from non whitelisted IPs", | |
"Effect": "Deny", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuser" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"NotIpAddress": { | |
"aws:SourceIp": "123.123.123.123" | |
} | |
} | |
}, | |
{ | |
"Sid": "Deny non-whitelisted users", | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin", | |
"arn:aws:iam::123456789012:user/myuser" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Id": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo/SQSDefaultPolicy", | |
"Statement": [ | |
{ | |
"Sid": "Allow write-only roles", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:role/service-role/my-role" | |
}, | |
"Action": [ | |
"SQS:SendMessage", | |
"SQS:DeleteMessage", | |
"SQS:ReceiveMessage" | |
], | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo", | |
"Condition": { | |
"StringLike": { | |
"aws:userId": "AROA00000000000000000:*" | |
} | |
} | |
}, | |
{ | |
"Sid": "Allow admins", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/my-user" | |
}, | |
"Action": "SQS:*", | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo" | |
}, | |
{ | |
"Sid": "Deny non-whitelisted roles and users", | |
"Effect": "Deny", | |
"Principal": "*", | |
"Action": "SQS:*", | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo", | |
"Condition": { | |
"StringNotLike": { | |
"aws:userId": [ | |
"ARO000000000000000000:*", | |
"AIDA00000000000000000" | |
] | |
} | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment