Skip to content

Commit

Permalink
Add secops role in devstg
Browse files Browse the repository at this point in the history
  • Loading branch information
@lgallard
lgallard committed Nov 3, 2021
1 parent 746a8ef commit eafcd9b
Show file tree
Hide file tree
Showing 2 changed files with 124 additions and 2 deletions.
119 changes: 119 additions & 0 deletions apps-devstg/global/base-identities/policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,3 +481,122 @@ resource "aws_iam_policy" "velero_backups" {
}
EOF
}

#
# User Managed Policy: SecOps Access
#
resource "aws_iam_policy" "secops_access" {
name = "secops_access"
description = "Services enabled for SecOps role"

#
# IMPORTANT: Multiple condition keys in the same statement are not supported for some ec2 and rds actions.
#
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MultiServiceFullAccessCustom",
"Effect": "Allow",
"Action": [
"access-analyzer:*",
"acm:*",
"apigateway:*",
"appsync:*",
"aws-portal:*",
"backup:*",
"backup-storage:*",
"ce:*",
"cloudformation:*",
"cloudtrail:*",
"cloudwatch:*",
"config:*",
"dlm:*",
"dynamodb:*",
"ec2:*",
"elasticloadbalancing:*",
"events:*",
"fms:*",
"guardduty:*",
"health:*",
"iam:*",
"kms:*",
"lambda:*",
"logs:*",
"network-firewall:*",
"networkmanager:*",
"organizations:Describe*",
"organizations:List*",
"route53:*",
"route53domains:*",
"route53resolver:*",
"s3:*",
"sns:*",
"ssm:*",
"support:*",
"tag:*",
"trustedadvisor:*",
"vpc:*",
"waf:*",
"waf-regional:*",
"wafv2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-2"
]
}
}
},
{
"Sid": "Ec2RunInstanceCustomSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.micro",
"*.small",
"*.medium",
"*.large"
]
}
}
},
{
"Sid": "RdsFullAccessCustomSize",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": [
"arn:aws:rds:*:*:db:*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"rds:DatabaseClass": [
"*.micro",
"*.small",
"*.medium",
"*.large"
]
}
}
}
]
}
EOF
}
7 changes: 5 additions & 2 deletions apps-prd/us-east-1/security-audit/awscloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
module "cloudtrail" {
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.0"
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
Expand All @@ -14,7 +14,7 @@ module "cloudtrail" {
}

module "cloudtrail_api_alarms" {
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.13.0"
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3"
log_group_region = var.region
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_namespace = var.metric_namespace
Expand All @@ -23,6 +23,9 @@ module "cloudtrail_api_alarms" {
# Uncomment if /notifications SNS is configured and you want to send notifications via slack
sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec
metrics = local.metrics

# KMS key use for encrypting the Amazon SNS topic.
kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id
}

#==================================================================#
Expand Down

0 comments on commit eafcd9b

Please sign in to comment.