@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
273 lines • 7.18 kB
JSON
{
"Statement": [
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectVersionAcl",
"s3:PutReplicationConfiguration"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "Allow Restricted administer-resource"
},
{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "Allow Restricted read-config"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTorrent",
"s3:ListBucket"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "Allow Restricted read-data"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:InitiateReplication",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "Allow Restricted write-data"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "Allow Restricted delete-data"
},
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "DenyInsecureCommunications"
},
{
"Action": [
"s3:PutObject",
"s3:ReplicateObject"
],
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": true
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "DenyUnencryptedStorage"
},
{
"Action": [
"s3:PutObject",
"s3:ReplicateObject"
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "DenyUnexpectedEncryptionMethod"
},
{
"Action": "s3:*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Deny",
"Principal": {
"AWS": [
"*",
"*"
]
},
"Resource": [
"${Token[TOKEN.22]}",
"${Token[TOKEN.22]}/*"
],
"Sid": "DenyEveryoneElse"
}
],
"Version": "2012-10-17"
}