Skip to content

Instantly share code, notes, and snippets.

@riponbanik

riponbanik/cdk-boundary

Created June 23, 2023 01:09
Show Gist options
  • Save riponbanik/0fb1fac4237f3934e75e254c4dc3545e to your computer and use it in GitHub Desktop.
Save riponbanik/0fb1fac4237f3934e75e254c4dc3545e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cdk-boundary
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Permission Boundary for Developers",
"Resources" : {
"DeveloperBoundary" : {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "cdk-boundary",
"Description": "CDK Permission Boundary",
"Path": "/",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Resource": "*",
"Effect": "Allow",
"NotAction": "iam:*",
"Sid": "DefaultAllowAllbutIAM"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateServiceLinkedRole",
"iam:DeleteAccessKey",
"iam:DeleteInstanceProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteServiceLinkedRole",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetInstanceProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:List*",
"iam:RemoveRoleFromInstanceProfile",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:TagOpenIDConnectProvider",
"iam:UpdateAccessKey",
"iam:UpdateOpenIDConnectProviderThumbprint"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowPermittedIAM"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/service-boundary" }
]
}
},
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy",
"iam:TagRole",
"iam:UntagRole",
"iam:UpdateRoleDescription",
"iam:PutRolePermissionsBoundary"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CreateOrChangeOnlyWithBoundary"
},
{
"Action": [
"iam:UpdateAssumeRolePolicy",
"iam:PassRole"
],
"Resource": [
{ "Fn::Sub": "arn:aws:iam::*:role/*" },
{ "Fn::Sub": "arn:aws:iam::*:role/*" }
],
"Effect": "Allow",
"Sid": "IAMPassRoleAccess"
},
{
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/*boundary" },
"Effect": "Deny",
"Sid": "DenyBoundaryEditing"
}
]
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment