[AWS] Restricted Elastic Beanstalk deployment policy: Part 2

{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “EC2EnvironmentInstances”, “Effect”: “Allow”, “Action”: [ “ec2:*” ], “Resource”: [ “arn:aws:ec2:AWS_REGION:AWS_ACCOUNT:instance/*” ], “Condition”: { “StringEquals”: { “ec2:ResourceTag/elasticbeanstalk:environment-name”: [ “ENVIRONMENT_NAME” ] } } } ] }

[AWS] Restricted Elastic Beanstalk deployment policy: Part 1

{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “ElasticBeanstalkEnvironmentPermissions”, “Effect”: “Allow”, “Action”: [ “elasticbeanstalk:*” ], “Resource”: [ “arn:aws:elasticbeanstalk:AWS_REGION:AWS_ACCOUNT:environment/APPLICATION_NAME/*” ] }, { “Sid”: “ElasticBeanstalkGlobalPermissions”, “Effect”: “Allow”, “Action”: [ “elasticbeanstalk:DescribeConfigurationOptions”, “elasticbeanstalk:DescribeEnvironmentManagedActions”, “elasticbeanstalk:DescribeEnvironmentHealth”, “elasticbeanstalk:DescribeInstancesHealth”, “elasticbeanstalk:DescribeConfigurationSettings”, “elasticbeanstalk:ListAvailableSolutionStacks”, “elasticbeanstalk:ValidateConfigurationSettings”, “elasticbeanstalk:CheckDNSAvailability”, “elasticbeanstalk:CreateStorageLocation” ], “Resource”: [ “*” ] }, { “Sid”: “ElasticBeanstalkApplicationVersionPermissions”, “Effect”: “Allow”, “Action”: [ “elasticbeanstalk:*” ], “Resource”: [ “arn:aws:elasticbeanstalk:AWS_REGION:AWS_ACCOUNT:applicationversion/APPLICATION_NAME/*” ] }, […]

[AWS] IAM Policy to allow users change passwords and do user management of their own account

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “iam:*LoginProfile”, “iam:*AccessKey*”, “iam:ListServiceSpecificCredentials”, “iam:ListGroupsForUser”, “iam:ListAttachedUserPolicies”, “iam:ListUserPolicies”, “iam:*SSHPublicKey*”, “iam:ChangePassword” ], “Resource”: “arn:aws:iam::AWS_ACCOUNT:user/${aws:username}” }, { “Effect”: “Allow”, “Action”: [ “iam:ListAccount*”, “iam:GetAccountSummary”, “iam:GetAccountPasswordPolicy”, “iam:ListUsers” ], “Resource”: “arn:aws:iam::AWS_ACCOUNT:user/*” } ] }

[AWS] S3 bucket policy to allow ELB logs

S3 bucket policy to limit access by a source IP address: { “Version”: “2012-10-17” “Id”: “S3Policy-ID”, “Statement”: [ { “Sid”: “Stmt1513164693849”, “Effect”: “Allow”, “Principal”: “AWS”: “arn:aws:iam::BUCKET_ACCOUNT:root”, “Action”: “s3:PutObject”, “Resource”: “arn:aws:s3:::bucket_name/*/AWSLogs/IAM_ACCOUNT/*” } ] }

[AWS] How to limit S3 bucket access by IP address

S3 bucket policy to limit access by a source IP address: { “Version”: “2012-10-17” “Id”: “S3Policy-ID”, “Statement”: [ { “Sid”: “IPAllow”, “Effect”: “Allow”, “Principal”: “*”, “Action”: “s3:*”, “Resource”: “arn:aws:s3:::BUCKET_NAME/*”, “Condition”: { “IpAddress”: { “aws:SourceIp”: [ “x.x.x.x”, “y.y.y.y” ] } } } ] }