Skip to content

Commit

Permalink
Update detected
Browse files Browse the repository at this point in the history
  • Loading branch information
MAMIP Bot committed Nov 18, 2024
1 parent 46c3909 commit 2631cef
Show file tree
Hide file tree
Showing 12 changed files with 1,436 additions and 5 deletions.
100 changes: 100 additions & 0 deletions policies/AWS-SSM-Automation-DiagnosisBucketPolicy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"PolicyVersion": {
"CreateDate": "2024-11-15T23:31:17Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*/actions/*/${aws:PrincipalAccount}/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowReadWriteToSsmDiagnosisBucketInSameAccount"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*/actions/*/${aws:PrincipalAccount}/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceOrgId": "${aws:PrincipalOrgId}"
}
},
"Sid": "AllowReadWriteToSsmDiagnosisBucketWithinOrg"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*",
"Effect": "Allow",
"Condition": {
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowReadOnlyAccessListBucketOnSsmDiagnosisBucketInSameAccount"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*",
"Effect": "Allow",
"Condition": {
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
},
"StringEquals": {
"aws:ResourceOrgId": "${aws:PrincipalOrgId}"
}
},
"Sid": "AllowReadOnlyAccessListBucketOnSsmDiagnosisBucketWithinOrg"
},
{
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowGetEncryptionConfigurationOnSsmDiagnosisBucketInSameAccount"
},
{
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceOrgId": "${aws:PrincipalOrgId}"
}
},
"Sid": "AllowGetEncryptionConfigurationOnSsmDiagnosisBucketWithinOrg"
}
]
},
"IsDefaultVersion": true
}
}
105 changes: 105 additions & 0 deletions policies/AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{
"PolicyVersion": {
"CreateDate": "2024-11-16T00:01:45Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:GetAutomationExecution"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyAccessSSMResource"
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:*:automation-definition/AWS-*UnmanagedEC2*:*"
],
"Effect": "Allow",
"Sid": "AllowExecuteSSMAutomation"
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"ArnLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*"
},
"StringEquals": {
"aws:ResourceTag/SystemsManagerManaged": "true"
},
"Bool": {
"aws:ViaAWSService": "true"
}
},
"Sid": "AllowKMSOperations"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowAssumeDiagnosisExecutionRoleWithinAccount"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/AWS-SSM-DiagnosisAdminRole*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
}
},
"Sid": "AllowPassRoleOnSelfToSsm"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*/actions/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowReadWriteToSsmDiagnosisBucketInSameAccount"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Sid": "AllowListBucketOnSsmDiagnosisBucketInSameAccount"
}
]
},
"IsDefaultVersion": true
}
}
81 changes: 81 additions & 0 deletions policies/AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"PolicyVersion": {
"CreateDate": "2024-11-16T00:08:07Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyAccessEC2Resource"
},
{
"Action": [
"ssm:DescribeAutomationStepExecutions",
"ssm:DescribeInstanceInformation",
"ssm:DescribeAutomationExecutions",
"ssm:GetAutomationExecution"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyAccessSSMResource"
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:*:automation-definition/AWS-*UnmanagedEC2*:*"
],
"Effect": "Allow",
"Sid": "AllowExecuteSSMAutomation"
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"ArnLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::do-not-delete-ssm-diagnosis-*"
},
"StringEquals": {
"aws:ResourceTag/SystemsManagerManaged": "true"
},
"Bool": {
"aws:ViaAWSService": "true"
}
},
"Sid": "AllowKMSOperations"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
}
},
"Sid": "AllowPassRoleOnSelfToSsm"
}
]
},
"IsDefaultVersion": true
}
}
32 changes: 32 additions & 0 deletions policies/AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"PolicyVersion": {
"CreateDate": "2024-11-16T00:11:14Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"organizations:ListRoots",
"organizations:ListChildren"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyAccessOrganization"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceOrgId": "${aws:PrincipalOrgId}"
}
},
"Sid": "AllowAssumeDiagnosisExecutionRoleWithinOrg"
}
]
},
"IsDefaultVersion": true
}
}
Loading

0 comments on commit 2631cef

Please sign in to comment.