Forked from deskoh/_AWS Resource-Based Policy Examples.md
Created
April 18, 2024 22:38
-
-
Save vaquarkhan/8e001a94a4c0dd899e1c256d0beda295 to your computer and use it in GitHub Desktop.
AWS Resource-based policies example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/my-user1", | |
"arn:aws:iam::123456789012:user/my-user2" | |
] | |
}, | |
"Action": "execute-api:Invoke", | |
"Resource": "arn:aws:execute-api:ap-southeast-1:123456789012:xxxxxxxxxx/*/*/*", | |
"Condition": { | |
"NotIpAddress": { | |
"aws:SourceIp": "123.123.123.123/32" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Principal": "*", | |
"Action": "execute-api:Invoke", | |
"Resource": "arn:aws:execute-api:ap-southeast-1:123456789012:xxxxxxxxxx/*/*/*" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
// Reference: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ | |
// aws iam get-role --role-name MyRoleName --query "Role.RoleId" | |
// aws iam get-user --user-name MyUser --query "User.UserId" | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Deny non-whitelisted users by userId", | |
"Effect": "Deny", | |
"Principal": "*", | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"StringNotLike": { | |
"aws:userId": [ | |
"AROAxxxxxxxxxxxxxxxxx:*", | |
"AIDAxxxxxxxxxxxxxxxxx" | |
] | |
} | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Allow bucket admins", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin1", | |
"arn:aws:iam::123456789012:user/bucket-admin2" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Allow readonly user from IP address", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myreadonlyuser" | |
}, | |
"Action": [ | |
"s3:Get*", | |
"s3:ListBucket" | |
], | |
"Resource": [ | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"IpAddress": { | |
"aws:SourceIp": "0.0.0.0/0" | |
} | |
} | |
}, | |
{ | |
"Sid": "Allow users to upload", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuploader" | |
}, | |
"Action": "s3:PutObject", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Deny non-whitelisted users", | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin1", | |
"arn:aws:iam::123456789012:user/bucket-admin2" | |
"arn:aws:iam::123456789012:user/myreadonlyuser" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Allow whitelisted users", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/bucket-admin" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
}, | |
{ | |
"Sid": "Allow user from IP address", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuser" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"IpAddress": { | |
"aws:SourceIp": [ | |
"111.111.111.111/32", | |
"222.222.222.222/32" | |
] | |
} | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Deny user from non whitelisted IPs", | |
"Effect": "Deny", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/myuser" | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
], | |
"Condition": { | |
"NotIpAddress": { | |
"aws:SourceIp": "123.123.123.123" | |
} | |
} | |
}, | |
{ | |
"Sid": "Deny non-whitelisted users", | |
"Effect": "Deny", | |
"NotPrincipal": { | |
"AWS": [ | |
"arn:aws:iam::123456789012:user/bucket-admin", | |
"arn:aws:iam::123456789012:user/myuser" | |
] | |
}, | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::mybucket", | |
"arn:aws:s3:::mybucket/*" | |
] | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Id": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo/SQSDefaultPolicy", | |
"Statement": [ | |
{ | |
"Sid": "Allow write-only roles", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:role/service-role/my-role" | |
}, | |
"Action": [ | |
"SQS:SendMessage", | |
"SQS:DeleteMessage", | |
"SQS:ReceiveMessage" | |
], | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo", | |
"Condition": { | |
"StringLike": { | |
"aws:userId": "AROA00000000000000000:*" | |
} | |
} | |
}, | |
{ | |
"Sid": "Allow admins", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:user/my-user" | |
}, | |
"Action": "SQS:*", | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo" | |
}, | |
{ | |
"Sid": "Deny non-whitelisted roles and users", | |
"Effect": "Deny", | |
"Principal": "*", | |
"Action": "SQS:*", | |
"Resource": "arn:aws:sqs:ap-southeast-1:123456789012:myqueue.fifo", | |
"Condition": { | |
"StringNotLike": { | |
"aws:userId": [ | |
"ARO000000000000000000:*", | |
"AIDA00000000000000000" | |
] | |
} | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment