Skip to content

Commit

Permalink
Add SecOps role in the network account
Browse files Browse the repository at this point in the history
  • Loading branch information
@lgallard
lgallard committed Sep 16, 2021
1 parent a76a2ef commit 6acfe8d
Show file tree
Hide file tree
Showing 2 changed files with 144 additions and 0 deletions.
117 changes: 117 additions & 0 deletions network/base-identities/policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,123 @@ resource "aws_iam_policy" "devops_access" {
EOF
}

#
# User Managed Policy: SecOps Access
#
resource "aws_iam_policy" "secops_access" {
name = "secops_access"
description = "Services enabled for SecOps role"

#
# IMPORTANT: Multiple condition keys in the same statement are not supported for some ec2 and rds actions.
#
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MultiServiceFullAccessCustom",
"Effect": "Allow",
"Action": [
"access-analyzer:*",
"acm:*",
"apigateway:*",
"appsync:*",
"aws-portal:*",
"backup:*",
"backup-storage:*",
"ce:*",
"cloudformation:*",
"cloudtrail:*",
"cloudwatch:*",
"config:*",
"dlm:*",
"dynamodb:*",
"ec2:*",
"elasticloadbalancing:*",
"events:*",
"fms:*",
"guardduty:*",
"health:*",
"iam:*",
"kms:*",
"lambda:*",
"logs:*",
"organizations:Describe*",
"organizations:List*",
"route53:*",
"route53domains:*",
"route53resolver:*",
"s3:*",
"sns:*",
"ssm:*",
"support:*",
"tag:*",
"trustedadvisor:*",
"vpc:*",
"waf:*",
"waf-regional:*",
"wafv2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-2"
]
}
}
},
{
"Sid": "Ec2RunInstanceCustomSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.micro",
"*.small",
"*.medium",
"*.large"
]
}
}
},
{
"Sid": "RdsFullAccessCustomSize",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"rds:DatabaseClass": [
"*.micro",
"*.small",
"*.medium",
"*.large"
]
}
}
}
]
}
EOF
}

#
# Customer Managed Policy: DeployMaster
#
Expand Down
27 changes: 27 additions & 0 deletions network/base-identities/roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,33 @@ module "iam_assumable_role_devops" {
tags = local.tags
}

#
# Assumable Role Cross-Account: SecOps
#
module "iam_assumable_role_secops" {
source = "github.com/binbashar/terraform-aws-iam.git//modules/iam-assumable-role?ref=v4.1.0"

trusted_role_arns = [
"arn:aws:iam::${var.security_account_id}:root"
]

create_role = true
role_name = "SecOps"
role_path = "/"

#
# MFA setup
#
role_requires_mfa = true
mfa_age = 43200 # Maximum CLI/API session duration in seconds between 3600 and 43200
max_session_duration = 3600 # Max age of valid MFA (in seconds) for roles which require MFA
custom_role_policy_arns = [
aws_iam_policy.secops_access.arn
]

tags = local.tags
}

#
# Assumable Role Cross-Account: Admin
#
Expand Down

0 comments on commit 6acfe8d

Please sign in to comment.