Help:Mapping values are not allowed in this context
Revision as of 09:57, 4 August 2022 by 52.95.75.20 (talk) (Created page with "AWSTemplateFormatVersion: '2010-09-09' Description: 'MALZ template for deploying AMP custom roles to the application accounts.' Parameters: SAMLIdentityProviderName:...")
AWSTemplateFormatVersion: '2010-09-09' Description: 'MALZ template for deploying AMP custom roles to the application accounts.' Parameters:
SAMLIdentityProviderName:
Description: Name of the SAML identity provider.
Type: String
AllowedPattern: "^[a-zA-Z0-9._-]*$"
MaxLength: 128
SecondarySAMLIdentityProviderName:
Description: Name of the SAML identity provider.
Type: String
AllowedPattern: "^[a-zA-Z0-9._-]*$"
MaxLength: 128
Conditions:
IsSecondarySAMLIdpProvided: !And
- !Not [!Equals [!Ref SecondarySAMLIdentityProviderName, ]]
- !Not [!Equals [!Ref SecondarySAMLIdentityProviderName, '-']]
Resources:
AMPManagedServicesChangeManagementRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: AMPManagedServicesChangeManagementRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": {
"Fn::If": [
IsSecondarySAMLIdpProvided,
[
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}"
],
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}"
]
}
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/AWSSupportAccess"
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
- !Ref AMPDuplicateChangeManagementPolicy
- !Ref AMPDuplicateReservedInstancesPolicy
- !Ref AMPDuplicateSecretsManagerSharedPolicy
- !Ref AMPDuplicateS3Policy
AMPManagedServicesReadOnlyRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: AMPManagedServicesReadOnlyRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": {
"Fn::If": [
IsSecondarySAMLIdpProvided,
[
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}"
],
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}"
]
}
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
AMPChangeReadOnlyRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: AMPChangeReadOnlyRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": {
"Fn::If": [
IsSecondarySAMLIdpProvided,
[
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}"
],
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}"
]
}
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
- !Ref AMPDuplicateChangeManagementReadOnlyPolicy
AAMPSSPSAdminRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: AAMPSSPSAdminRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": {
"Fn::If": [
IsSecondarySAMLIdpProvided,
[
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}"
],
"Fn::Sub" : "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}"
]
}
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/AWSSupportAccess"
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
- !Ref AMPCustomerFSXPolicy
- !Ref AMPCustomerACMPolicy
- !Ref AMPCustomerWAFPolicy
- !Ref AMPCustomerSecretsManagerPolicy
- !Ref customer_amp_ecs_fargate_console_policy
customer_amp_ecs_fargate_events_service_role:
Type: "AWS::IAM::Role"
Properties:
RoleName: customer_amp_ecs_fargate_events_service_role
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
ManagedPolicyArns:
- !Ref customer_amp_ecs_fargate_events_service_policy
customer_amp_ecs_task_execution_service_role:
Type: "AWS::IAM::Role"
Properties:
RoleName: customer_amp_ecs_task_execution_service_role
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
ManagedPolicyArns:
- !Ref customer_amp_ecs_task_execution_service_policy
customer_amp_ecs_codedeploy_service_role:
Type: "AWS::IAM::Role"
Properties:
RoleName: customer_amp_ecs_codedeploy_service_role
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
ManagedPolicyArns:
- !Ref customer_amp_ecs_codedeploy_service_policy
AMPAppOperationsRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: AMPAppOperationsRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": {
"Fn::If": [
IsSecondarySAMLIdpProvided,
[
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}",
],
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}",
],
},
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml",
},
},
},
],
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
- !Ref AMPAppOperationsPolicy
NetworkTeamReadOnlyRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: NetworkTeamReadOnlyRole
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::821146817103:role/admin-cli"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
- !Ref AMPDuplicateChangeManagementReadOnlyPolicy
- !Ref AMPNetworkTeamDenyPolicy
AMPDuplicateChangeManagementPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPDuplicateChangeManagementPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSManagedServicesFullAccess",
"Effect": "Allow",
"Action": [
"amscm:*",
"amsskms:*"
],
"Resource": [
"*"
]
}
]
}
AMPDuplicateReservedInstancesPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPDuplicateReservedInstancesPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReservedInstancesManagement",
"Effect": "Allow",
"Action": [
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering"
],
"Resource": [
"*"
]
}
]
}
AMPDuplicateSecretsManagerSharedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPDuplicateSecretsManagerSharedPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyGetSecretOnCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowReadAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
AMPDuplicateS3Policy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPDuplicateS3Policy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject"
],
"NotResource": [
"arn:aws:s3:::ams*",
"arn:aws:s3:::awsms*",
"arn:aws:s3:::mc*"
]
}
]
}
AMPDuplicateChangeManagementReadOnlyPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPDuplicateChangeManagementReadOnlyPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AMSCoreAccountsCMAndSKMSReadOnlyAccess",
"Effect": "Allow",
"Action": [
"amscm:Get*",
"amscm:List*",
"amsskms:Get*",
"amsskms:List*"
],
"Resource": "*"
}
]
}
AMPCustomerFSXPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPCustomerFSXPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ds:DescribeDirectories",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"iam:ListRoles",
"kms:ListAliases",
"s3:ListBucket"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAPIActionsForFSXConsole"
},
{
"Sid": "DenyAmsEc2ByName",
"Action": "ec2:*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ec2:ResourceTag/Name": [
"ams*",
"Ams*",
"AMS*",
"AWSManagedServices*",
"customer-mc-*",
"Managed_Services*",
"mc*",
"Mc*",
"MC*",
"sentinel*"
]
}
}
},
{
"Sid": "AllowCustomizedOnTapConfiguration",
"Effect": "Allow",
"Action": [
"ec2:AssignPrivateIpAddresses",
"ec2:CreateRoute",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:UnassignPrivateIpAddresses",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "DenyCreatingResourcesWithFollowingTags",
"Effect": "Deny",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:RequestTag/Name": [
"ams*",
"Ams*",
"AMS*",
"AWSManagedServices*",
"customer-mc-*",
"Managed_Services*",
"mc*",
"Mc*",
"MC*",
"sentinel*"
]
}
}
},
{
"Sid": "AllowDeletionOfFSxOnTapRoutes",
"Effect": "Allow",
"Action": [
"ec2:DeleteRoute",
"ec2:ReplaceRoute"
],
"Resource": "arn:aws:ec2:::route-table/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonFSx": "ManagedByAmazonFSx"
}
}
},
{
"Sid": "AllowFsxOnTapRouteCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateRoute"
],
"Resource": "arn:aws:ec2:::route-table/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonFSx": "ManagedByAmazonFSx"
}
}
},
{
"Sid": "AllowFsxOnTapIpAddressAdministration",
"Effect": "Allow",
"Action": [
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses"
],
"Resource": "arn:aws:ec2:::network-interface/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AmazonFSx.FileSystemId": []
}
}
},
{
"Sid": "AllowFsxOnTapWithKms",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:::key/*"
]
},
{
"Sid": "AllowFsxOnTapEc2Tags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:::network-interface/",
"arn:aws:ec2:::route-table/"
]
},
{
"Action": "fsx:*",
"Resource": [
"arn:aws:fsx:*:*:backup/*",
"arn:aws:fsx:*:*:file-system/*",
"arn:aws:fsx:*:*:task/*",
"arn:aws:fsx:*:*:storage-virtual-machine/*",
"arn:aws:fsx:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "AllowFSXFileSystemBackupsAndTasks"
},
{
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"fsx.amazonaws.com"
]
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/AWSServiceRoleForAmazonFSx",
"Effect": "Allow",
"Sid": "AllowFSXForWindowsServiceLinkedRole"
},
{
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:*:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_*",
"Effect": "Allow",
"Sid": "AllowFSXForLustreServiceLinkedRole"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*",
"Effect": "Allow",
"Sid": "RequiredForFSXLustreServiceLinkedRoleS3Integration"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/AWSServiceRoleForAmazonFSx",
"Effect": "Allow",
"Sid": "AllowPassRoleForSLR"
},
{
"Action": "ec2:CreateNetworkInterface",
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowEC2ActionsForCreateBackups"
},
{
"Action": [
"elasticfilesystem:CreateMountTarget"
],
"Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
"Effect": "Allow",
"Sid": "AllowEFSActionsForCreateBackups"
}
]
}
AMPCustomerACMPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPCustomerACMPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ImportCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:AddTagsToCertificate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowImportandListACMCertificates"
}
]
}
AMPCustomerWAFPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPCustomerWAFPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET",
"apigateway:SetWebACL",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:UpdateDistribution",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetWebACL",
"appsync:ListGraphqlApis",
"appsync:SetWebACL",
"waf-regional:*",
"waf:*",
"iam:CreateServiceLinkedRole",
"firehose:ListDeliveryStreams",
"firehose:PutLoggingConfiguration",
"wafv2:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AMPNetworkTeamDenyPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPNetworkTeamDenyPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AMPNetworkTeamDenyPolicy",
"Effect": "Deny",
"Action": [
"iam:*",
"config:*",
"ssmmessages:*"
],
"Resource": "*"
}
]
}
AMPCustomerSecretsManagerPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPCustomerSecretsManagerPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeRDSPermission",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
},
{
"Sid": "AllowDescribeRedshiftPermission",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
},
{
"Sid": "AllowListKMSKey",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:*",
"NotResource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*",
"arn:aws:secretsmanager:*:*:secret:ams/*"
]
}
]
}
AMPAppOperationsPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: AMPAppOperationsPolicy
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:ListDashboards"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchDashboardAcess"
},
{
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:PutDashboard"
],
"Effect": "Allow",
"NotResource": [
"arn:aws:cloudwatch::*:dashboard/AMS*",
"arn:aws:cloudwatch::*:dashboard/AWS*",
"arn:aws:cloudwatch::*:dashboard/Ams*",
"arn:aws:cloudwatch::*:dashboard/ams*",
"arn:aws:cloudwatch::*:dashboard/mc*",
"arn:aws:cloudwatch::*:dashboard/MC*"
]
},
{
"Condition": {
"ForAnyValue:StringLike": {
"aws:RequestTag/Name": [
"ams*",
"Ams*",
"AMS*",
"AWSManagedServices*",
"customer-mc-*",
"Managed_Services*",
"mc*",
"Mc*",
"MC*",
"sentinel*"
]
}
},
"Action": [
"cloudwatch:TagResource",
"cloudwatch:UntagResource"
],
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyCreatingResourcesWithFollowingTags"
}
]
}
customer_amp_ecs_fargate_console_policy":
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: customer_amp_ecs_fargate_console_policy
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadandCreateLogGroupPermissions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"appmesh:Describe*",
"appmesh:List*",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"codedeploy:BatchGet*",
"codedeploy:Get*",
"codedeploy:List*",
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"elasticloadbalancing:Describe*",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListTargetsByRule",
"health:DescribeEventAggregates",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"lambda:ListFunctions",
"logs:CreateLogGroup",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"route53:GetHealthCheck",
"route53:GetHostedZone",
"route53:ListHostedZonesByName",
"servicediscovery:GetNamespace",
"servicediscovery:GetOperation",
"servicediscovery:GetService",
"servicediscovery:ListNamespaces",
"servicediscovery:ListServices",
"sns:ListTopics"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets"
],
"NotResource": [
"arn:aws:events:*:*:rule/AMS*",
"arn:aws:events:*:*:rule/ams*",
"arn:aws:events:*:*:rule/mc*"
]
},
{
"Effect": "Allow",
"Action": [
"codedeploy:CreateApplication",
"codedeploy:RegisterApplicationRevision"
],
"NotResource": [
"arn:aws:codedeploy:*:*:application:ams*",
"arn:aws:codedeploy:*:*:application:AMS*",
"arn:aws:codedeploy:*:*:application:AWSManagedServices*"
]
},
{
"Effect": "Allow",
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:CreateDeploymentGroup"
],
"NotResource": [
"arn:aws:codedeploy:*:*:deploymentgroup:*/ams*",
"arn:aws:codedeploy:*:*:deploymentgroup:*/AMS*",
"arn:aws:codedeploy:*:*:deploymentgroup:*/AWSManagedServices*"
]
},
{
"Sid": "ApplicationAutoScalingModify",
"Effect": "Allow",
"Action": [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource": "*"
},
{
"Sid": "CloudWatchAlarmPermissionsForAutoScaling",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:PutMetricAlarm"
],
"NotResource": [
"arn:aws:cloudwatch:*:*:alarm:AMS*",
"arn:aws:cloudwatch:*:*:alarm:ams*",
"arn:aws:cloudwatch:*:*:alarm:aws*",
"arn:aws:cloudwatch:*:*:alarm:i-*",
"arn:aws:cloudwatch:*:*:alarm:mc*"
]
},
{
"Sid": "FargateModifyPermissionsNoRLP",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterTaskDefinition",
"ecs:RegisterTaskDefinition"
],
"Resource": "*"
},
{
"Sid": "FargateModifyClusterPermissions",
"Effect": "Allow",
"Action": [
"ecs:DeleteCluster",
"ecs:SubmitAttachmentStateChanges",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange"
],
"NotResource": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:cluster/AMS*",
"arn:aws:ecs:*:*:cluster/AWSManagedServices*"
]
},
{
"Sid": "FargateModifyServicePermissions",
"Effect": "Allow",
"Action": [
"ecs:CreateService",
"ecs:DeleteService",
"ecs:UpdateService",
"ecs:UpdateServicePrimaryTaskSet"
],
"NotResource": [
"arn:aws:ecs:*:*:service/ams*/*",
"arn:aws:ecs:*:*:service/AMS*/*",
"arn:aws:ecs:*:*:service/AWSManagedServices*/*"
]
},
{
"Sid": "FargateTaskSetPermissionsNoRLP",
"Effect": "Allow",
"Action": [
"ecs:CreateTaskSet"
],
"Resource": "*",
"Condition": {
"ArnNotEquals": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:cluster/AMS*",
"arn:aws:ecs:*:*:cluster/AWSManagedServices*"
]
}
}
},
{
"Sid": "FargateTaskSetPermissions",
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:UpdateTaskSet"
],
"NotResource": [
"arn:aws:ecs:*:*:task-definition/ams*:*"
],
"Condition": {
"ArnNotEquals": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:cluster/AMS*",
"arn:aws:ecs:*:*:cluster/AWSManagedServices*"
]
}
}
},
{
"Sid": "EcsTagAndExecuteCommandRestrictAmsResources",
"Effect": "Allow",
"Action": [
"ecs:ExecuteCommand",
"ecs:TagResource",
"ecs:UntagResource"
],
"NotResource": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:container-instance/ams*/*",
"arn:aws:ecs:*:*:service/ams*/*",
"arn:aws:ecs:*:*:task-definition/ams*:*",
"arn:aws:ecs:*:*:task/ams*/*"
]
},
{
"Sid": "SSMParametersForPrivateRepo",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/customer*"
},
{
"Sid": "PassRoleForSLRAndServiceRoles",
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"arn:aws:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"arn:aws:iam::*:role/customer_amp_ecs_codedeploy_service_role",
"arn:aws:iam::*:role/customer_amp_ecs_fargate_events_service_role",
"arn:aws:iam::*:role/customer_amp_ecs_task_execution_service_role"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"application-autoscaling.amazonaws.com",
"codedeploy.amazonaws.com",
"ecs-tasks.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid": "CreateSLRPermissions",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": [
"arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"arn:aws:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ecs.amazonaws.com",
"ecs.application-autoscaling.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
}
}
]
}
customer_amp_ecs_fargate_events_service_policy":
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: customer_amp_ecs_fargate_events_service_policy
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"NotResource": [
"arn:aws:ecs:*:*:task-definition/ams*:*",
"arn:aws:ecs:*:*:task-definition/AMS*:*",
"arn:aws:ecs:*:*:task-definition/AWSManagedServices*:*",
"arn:aws:ecs:*:*:task-set/ams*/*/*",
"arn:aws:ecs:*:*:task-set/AMS*/*/*",
"arn:aws:ecs:*:*:task-set/AWSManagedServices*/*/*",
"arn:aws:ecs:*:*:task/ams*/*",
"arn:aws:ecs:*:*:task/AMS*/*",
"arn:aws:ecs:*:*:task/AWSManagedServices*/*"
],
"Condition": {
"ArnNotEquals": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:cluster/AMS*",
"arn:aws:ecs:*:*:cluster/AWSManagedServices*"
]
}
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/customer_amp_ecs_task_execution_service_role"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}
]
}
customer_amp_ecs_task_execution_service_policy":
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: customer_amp_ecs_task_execution_service_policy
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"NotResource": [
"arn:aws:ecr:*:*:repository/ams*",
"arn:aws:ecr:*:*:repository/Ams*",
"arn:aws:ecr:*:*:repository/AMS*",
"arn:aws:ecr:*:*:repository/mc*",
"arn:aws:ecr:*:*:repository/Mc*",
"arn:aws:ecr:*:*:repository/MC*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"NotResource": [
"arn:aws:logs:*:*:log-group:/ams/*",
"arn:aws:logs:*:*:log-group:/aws/*",
"arn:aws:logs:*:*:log-group:/i-*",
"arn:aws:logs:*:*:log-group:/infra/*",
"arn:aws:logs:*:*:log-group:/mc/*",
"arn:aws:logs:*:*:log-group:/AMS/*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"NotResource": [
"arn:aws:logs:*:*:log-group:/ams/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/i-*:log-stream:*",
"arn:aws:logs:*:*:log-group:/infra/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/mc/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/AMS/*:log-stream:*"
]
}
]
}
customer_amp_ecs_codedeploy_service_policy":
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: customer_amp_ecs_codedeploy_service_policy
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"ecs:DescribeServices",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:CreateTaskSet",
"ecs:DeleteTaskSet"
],
"NotResource": [
"arn:aws:ecs:*:*:task-definition/ams*:*",
"arn:aws:ecs:*:*:task-definition/AMS*:*",
"arn:aws:ecs:*:*:task-definition/AWSManagedServices*:*",
"arn:aws:ecs:*:*:task-definition/mc-*:*",
"arn:aws:ecs:*:*:task-set/ams*/*/*",
"arn:aws:ecs:*:*:task-set/AMS*/*/*",
"arn:aws:ecs:*:*:task-set/AWSManagedServices*/*/*",
"arn:aws:ecs:*:*:task-set/ams*/*/*",
"arn:aws:ecs:*:*:task/ams*/*",
"arn:aws:ecs:*:*:task/AMS*/*",
"arn:aws:ecs:*:*:task/AWSManagedServices*/*",
"arn:aws:ecs:*:*:task/mc-*/*"
],
"Condition": {
"ArnNotEquals": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/ams*",
"arn:aws:ecs:*:*:cluster/AMS*",
"arn:aws:ecs:*:*:cluster/AWSManagedServices*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:UpdateServicePrimaryTaskSet"
],
"NotResource": [
"arn:aws:ecs:*:*:service/ams*/*",
"arn:aws:ecs:*:*:service/AMS*/*",
"arn:aws:ecs:*:*:service/AWSManagedServices*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyListener"
],
"NotResource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/mc*"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"NotResource": "arn:aws:lambda:*:*:function:AMS*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"NotResource": [
"arn:aws:sns:*:*:AMS*",
"arn:aws:sns:*:*:Ams*",
"arn:aws:sns:*:*:ams*",
"arn:aws:sns:*:*:MMS*",
"arn:aws:sns:*:*:Energon*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/customer_ams_ecs_task_execution_service_role",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectMetadata",
"s3:GetObjectVersion"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/UseWithCodeDeploy": "true"
}
},
"Effect": "Allow"
}
]
}
AMPCCOEAdminRole:
Type: 'AWS::IAM::Role'
DependsOn:
- AMPCCOEAdminRolePermissionsBoundary
Properties:
RoleName: AMPCCOEAdminRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: !If
- IsSecondarySAMLIdpProvided
- - !Sub >-
arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}
- !Sub >-
arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SecondarySAMLIdentityProviderName}
- !Sub >-
arn:${AWS::Partition}:iam::${AWS::AccountId}:saml-provider/${SAMLIdentityProviderName}
Action: 'sts:AssumeRoleWithSAML'
Condition:
StringEquals:
'SAML:aud': 'https://signin.aws.amazon.com/saml'
PermissionsBoundary: !Sub >-
arn:aws:iam::${AWS::AccountId}:policy/AMPCCOEAdminRolePermissionsBoundary
Policies:
- PolicyName: AllowAMSManagedServices
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowAMSManagedServices
Effect: Allow
Action:
- 'amscm:*'
- 'amsskms:*'
- 'autoscaling:*'
- 'aws-marketplace:*'
- 'backup:*'
- 'cloudformation:*'
- 'cloudfront:*'
- 'cloudtrail:*'
- 'cloudwatch:*'
- 'config:*'
- 'directconnect:*'
- 'dms:*'
- 'ec2-reports:View*'
- 'ec2:*'
- 'ecr:*'
- 'elasticache:*'
- 'elasticfilesystem:*'
- 'elasticloadbalancing:*'
- 'elasticloadbalancingv2:*'
- 'elasticmapreduce:*'
- 'es:*'
- 'glacier:*'
- 'iam:*'
- 'inspector:*'
- 'kms:*'
- 'logs:*'
- 'macie:*'
- 'rds-data:*'
- 'rds:*'
- 'redshift:*'
- 'resource-groups:*'
- 'route53:*'
- 's3:*'
- 'servicecatalog:*'
- 'sns:*'
- 'sqs:*'
- 'storagegateway:*'
- 'sts:DecodeAuthorizationMessage'
- 'support:*'
- 'tag:*'
Resource: '*'
- PolicyName: AllowAMSEnabledServices
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowAMSEnabledServices
Effect: Allow
Action:
- 'acm-pca:*'
- 'acm:*'
- 'apigateway:*'
- 'application-autoscaling:DeleteScalingPolicy'
- 'application-autoscaling:DeregisterScalableTarget'
- 'application-autoscaling:DescribeScalableTargets'
- 'application-autoscaling:DescribeScalingActivities'
- 'application-autoscaling:DescribeScalingPolicies'
- 'application-autoscaling:PutScalingPolicy'
- 'application-autoscaling:RegisterScalableTarget'
- 'applicationinsights:*'
- 'appmesh:*'
- 'appstream:*'
- 'appsync:*'
- 'athena:*'
- 'batch:DescribeJobDefinitions'
- 'batch:DescribeJobQueues'
- 'batch:ListJobs'
- 'cloud9:*'
- 'cloudhsm:*'
- 'cloudsearch:*'
- 'codebuild:*'
- 'codecommit:*'
- 'codedeploy:*'
- 'codepipeline:*'
- 'cognito-idp:*'
- 'comprehend:*'
- 'comprehendmedical:*'
- 'compute-optimizer:*'
- 'connect:*'
- 'datasync:*'
- 'ds:AuthorizeApplication'
- 'ds:CreateAlias'
- 'ds:CreateIdentityPoolDirectory'
- 'ds:DeleteDirectory'
- 'ds:DescribeDirectories'
- 'ds:GetAuthorizedApplicationDetails'
- 'ds:ListAuthorizedApplications'
- 'ds:UnauthorizeApplication'
- 'dynamodb:*'
- 'ecs:*'
- 'eks:*'
- 'elastic-inference:Connect'
- 'events:*'
- 'execute-api:*'
- 'firehose:*'
- 'forecast:*'
- 'fsx:*'
- 'glue:*'
- 'groundtruthlabeling:*'
- 'health:DescribeEventAggregates'
- 'importexport:*'
- 'kinesis:*'
- 'kinesisanalytics:*'
- 'kinesisvideo:*'
- 'lakeformation:BatchGrantPermissions'
- 'lakeformation:BatchRevokePermissions'
- 'lakeformation:GetDataAccess'
- 'lakeformation:GetEffectivePermissionsForPath'
- 'lakeformation:GrantPermissions'
- 'lakeformation:ListPermissions'
- 'lakeformation:ListResources'
- 'lakeformation:RevokePermissions'
- 'lambda:*'
- 'lex:*'
- 'license-manager:*'
- 'mediaconvert:*'
- 'medialive:*'
- 'mediapackage-vod:*'
- 'mediastore:*'
- 'mediatailor:*'
- 'mobiletargeting:GetApps'
- 'mq:*'
- 'personalize:*'
- 'polly:DescribeVoices'
- 'polly:SynthesizeSpeech'
- 'quicksight:*'
- 'ram:Get*'
- 'ram:List*'
- 'sagemaker:*'
- 'schemas:*'
- 'sdb:*'
- 'secretsmanager:*'
- 'securityhub:*'
- 'servicediscovery:GetNamespace'
- 'servicediscovery:GetOperation'
- 'servicediscovery:GetService'
- 'servicediscovery:ListNamespaces'
- 'servicediscovery:ListServices'
- 'ses:*'
- 'shield:*'
- 'snowball:*'
- 'ssm:*'
- 'states:*'
- 'swf:*'
- 'transfer:*'
- 'waf-regional:*'
- 'waf:*'
- 'wafv2:*'
- 'wellarchitected:*'
- 'workdocs:*'
- 'workspaces:*'
- 'xray:*'
Resource: '*'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSSupportAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess'
- !Ref AMPCustomerFSXPolicy
- !Ref AMPCustomerACMPolicy
- !Ref AMPCustomerWAFPolicy
- !Ref AMPCustomerSecretsManagerPolicy
AMPCCOEAdminRolePermissionsBoundary:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
Description: Permissions boundary for AMPCCOEAdmin role
ManagedPolicyName: AMPCCOEAdminRolePermissionsBoundary
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowMostAnythingWithinTheBoundary
Effect: Allow
NotAction:
- 'config:*'
- 'ds:*'
- 'ec2:*DhcpOptions*'
- 'ec2:*Gateway*'
- 'ec2:*Subnet*'
- 'ec2:*Vpc*'
- 'ec2:*Vpn*'
- 'lambda:*'
- 'outposts:Delete*'
Resource: '*'
- Sid: AllowedActions
Effect: Allow
Action:
- 'config:Describe*'
- 'config:Get*'
- 'config:List*'
- 'config:SelectResourceConfig'
- 'ds:AuthorizeApplication'
- 'ds:CreateAlias'
- 'ds:CreateIdentityPoolDirectory'
- 'ds:DeleteDirectory'
- 'ds:DescribeDirectories'
- 'ds:GetAuthorizedApplicationDetails'
- 'ds:ListAuthorizedApplications'
- 'ds:UnauthorizeApplication'
- 'ec2:Describe*'
Resource: '*'
- Sid: AllNonAmsFunctions
Effect: Allow
Action: 'lambda:*'
NotResource:
- 'arn:aws:lambda:*:*:function:AMS*'
- 'arn:aws:lambda:*:*:function:AWSManagedServices*'
- 'arn:aws:lambda:*:*:function:LandingZone*'
- 'arn:aws:lambda:*:*:function:StackSet-AWS-Landing-Zone*'
- 'arn:aws:lambda:*:*:function:TransitGatewayAttachmentLambda'
- Sid: AllowInvokingAlarmRegistration
Effect: Allow
Action: 'lambda:InvokeF*n'
Resource: 'arn:aws:lambda:*:*:function:AMSNewEc2InstanceEventSender'
- Sid: DenySecurityServices
Effect: Deny
Action:
- 'cognito-idp:A*ken'
- 'cognito-idp:Cr*er'
- 'cognito-idp:Cr*G*p'
- 'cognito-idp:Cr*Im*Job'
- 'guardduty:*'
- 'iam:*te*Ac*Pa*cy'
- 'iam:Del*ry'
- 'organizations:*'
- 'securityhub:Dis*Hub'
- 'securityhub:Disas*'
- 'ssm:Res*Ser*Set*'
- 'ssm:Upd*Ser*Set*'
- 'sso:*'
Resource: '*'
- Sid: DenyCreationOfIAMRoles
Effect: Deny
Action:
- 'iam:At*e*'
- 'iam:C*teR*'
- 'iam:C*teU*'
- 'iam:De*Rol*cy'
- 'iam:De*Us*cy'
- 'iam:Pu*e*y'
Resource: '*'
- Sid: DenyWriteAdminInfraCfnIamSsm
Effect: Deny
NotAction:
- 'cloudformation:Describe*'
- 'cloudformation:Detect*'
- 'cloudformation:EstimateTemplateCost'
- 'cloudformation:Get*'
- 'cloudformation:List*'
- 'cloudformation:ValidateTemplate'
- 'iam:Get*'
- 'iam:List*'
- 'ssm:Describe*'
- 'ssm:Get*'
- 'ssm:List*'
Resource:
- 'arn:aws:cloudformation:*:*:stack/StackSet-ams*'
- 'arn:aws:cloudformation:*:*:stack/ams-*'
- 'arn:aws:cloudformation:*:*:stack/iam-*'
- 'arn:aws:cloudformation:*:*:stack/mc-*'
- 'arn:aws:iam::*:group/ams*'
- 'arn:aws:iam::*:group/AWSManagedServices*'
- 'arn:aws:iam::*:group/mc*'
- 'arn:aws:iam::*:policy/ams*'
- 'arn:aws:iam::*:policy/AWSManagedServices*'
- 'arn:aws:iam::*:policy/Managed_Services*'
- 'arn:aws:iam::*:policy/mc*'
- 'arn:aws:iam::*:policy/Sentinel*'
- 'arn:aws:iam::*:role/AMPCCOEAdminRole*'
- 'arn:aws:iam::*:role/AmazonSSMRole*'
- 'arn:aws:iam::*:role/ams*'
- 'arn:aws:iam::*:role/Ams*'
- 'arn:aws:iam::*:role/AWSManagedServices*'
- 'arn:aws:iam::*:role/mc*'
- 'arn:aws:iam::*:role/Sentinel*'
- 'arn:aws:iam::*:role/StackSet-ams*'
- 'arn:aws:iam::*:role/StackSet-AWS*'
- 'arn:aws:iam::*:user/ams*'
- 'arn:aws:iam::*:user/mc*'
- 'arn:aws:ssm:*:*:parameter/ams*'
- 'arn:aws:ssm:*:*:parameter/mc*'
- 'arn:aws:ssm:*:*:parameter/org*'
- 'arn:aws:ssm:*:*:parameter/svc*'
- Effect: Deny
Action:
- 's3:*'
- 'sns:*'
Resource:
- 'arn:aws:s3:::mc-a*-internal-encrypted-*'
- 'arn:aws:sns:*:*:AMS-*'
- 'arn:aws:sns:*:*:Energon-Topic'
- 'arn:aws:sns:*:*:MMS-Topic'
- Effect: Deny
Action:
- 'cloudtrail:A*Tags'
- 'cloudtrail:Cre*il'
- 'cloudtrail:Del*il'
- 'cloudtrail:PutEv*s'
- 'cloudtrail:R*Tags'
- 'cloudtrail:St*ing'
- 'cloudtrail:Up*il'
- 'logs:Des*LogSt*s'
- 'logs:GetLogEv*s'
- 's3:Cre*'
- 's3:Del*'
- 's3:Put*'
Resource:
- 'arn:aws:cloudtrail:*:*:trail/AWS-Landing-Zone-BaselineCloudTrail'
- 'arn:aws:logs:*:*:log-group:/aws/lambda/AMS*'
- 'arn:aws:logs:*:*:log-group:/mc /*'
- 'arn:aws:s3:::ams-a*-elb-access-logs'
- 'arn:aws:s3:::ams-a*-elb-access-logs/*'
- 'arn:aws:s3:::ams-a*-log-management-*'
- 'arn:aws:s3:::ams-a*-patch-data-*'
- 'arn:aws:s3:::awsms-a*-patch-data-*'
- 'arn:aws:s3:::mc-a*-logs-*-audit/*'
- 'arn:aws:s3:::mc-a*-logs-*/mc/*'
- Effect: Deny
Action:
- 'logs:Del*LogGro*'
- 'logs:Del*LogStr*'
Resource: '*'
Condition:
StringNotEquals:
'aws:CalledViaFirst': cloudformation.amazonaws.com
- Effect: Deny
Action:
- 'iam:Up*As*Ro*cy'
Resource: '*'
Condition:
StringLike:
'aws:ResourceTag/TemplateId': '*'
- Sid: DenyCreatingResourcesWithFollowingTagKeys
Effect: Deny
Action:
- 'acm-pca:*'
- 'acm:*'
- 'ec2:Cre*Tags'
- 'ec2:Del*Tags'
- 'ec2:RunIns*'
- 'iam:Tag*'
- 'iam:Untag*'
Resource: '*'
Condition:
'ForAnyValue:StringEqualsIgnoreCase':
'aws:TagKeys':
- AMSResource
- TemplateId
- Sid: DenyCreatingResourcesWithFollowingTags
Effect: Deny
Action:
- 'acm-pca:*'
- 'acm:*'
- 'ec2:Cre*Tags'
- 'ec2:Del*Tags'
- 'ec2:RunIns*'
Resource: '*'
Condition:
'ForAnyValue:StringLike':
'aws:RequestTag/Name':
- ams*
- Ams*
- AMS*
- AWSManagedServices*
- customer-mc-*
- Managed_Services*
- mc*
- Mc*
- MC*
- sentinel*
- Sentinel*
- Effect: Deny
Action:
- 'ec2:Cre*Tags'
- 'ec2:Del*Tags'
- 'ec2:RunIns*'
Resource: '*'
Condition:
'ForAnyValue:StringLike':
'ec2:ResourceTag/aws:cloudformation:logical-id':
- SharedServices*
- ManagementHostASG
- Effect: Deny
Action:
- 'ec2:Att*Vol*'
- 'ec2:Det*Vol*'
- 'ec2:Reb*Ins*'
- 'ec2:RunIns*'
- 'ec2:St*Ins*'
- 'ec2:Term*Ins*'
Resource: '*'
Condition:
'ForAnyValue:StringLike':
'ec2:ResourceTag/aws:cloudformation:stack-name':
- mc-active-directory*
- mc-bastion-customer*
- mc-bastion-dmz*
- mc-controller-node*
- mc-eps*
- mc-management*
- Effect: Deny
Action: 'elasticloadbalancing:*'
Resource: '*'
Condition:
StringLike:
'elasticloadbalancing:ResourceTag/aws:cloudformation:stack-name': mc-*
- Effect: Deny
Action:
- 'autoscaling:Cre*Tags'
- 'autoscaling:Del*Tags'
Resource: '*'
Condition:
StringEquals:
'autoscaling:ResourceTag/aws:cloudformation:logical-id': ManagementHostASG
- Effect: Deny
Action:
- 'iam:Ad*G*p'
- 'iam:At*'
- 'iam:C*G*p'
- 'iam:C*teR*'
- 'iam:C*teU*'
- 'iam:D*G*p'
- 'iam:De*r*cy'
- 'iam:Put*'
- 'iam:R*G*p'
- 'iam:U*G*p'
Resource: '*'
Condition:
StringNotLikeIfExists:
'iam:PermissionsBoundary': 'arn:aws:iam::*:policy/AMPCCOEAdminRolePermissionsBoundary'
- Effect: Deny
Action: 'rds:*'
Resource:
- 'arn:aws:rds:*:*:db:*'
Condition:
StringLike:
'rds:db-tag/aws:cloudformation:stack-name': mc-*
- Effect: Deny
Action: 'secretsmanager:*'
Resource:
- 'arn:aws:secretsmanager:*:*:secret:ams/*'
- Sid: ProtectAMSDynamoDBResource
Action: 'dynamodb:*'
Effect: Deny
Resource:
- 'arn:aws:dynamodb:*:*:table/ams*'
- 'arn:aws:dynamodb:*:*:table/AMS*'
- 'arn:aws:dynamodb:*:*:table/Ams*'
- 'arn:aws:dynamodb:*:*:table/AWS*'
- 'arn:aws:dynamodb:*:*:table/aws*'
- 'arn:aws:dynamodb:*:*:table/Aws*'
- 'arn:aws:dynamodb:*:*:table/mc*'
- 'arn:aws:dynamodb:*:*:table/MC*'
- 'arn:aws:dynamodb:*:*:table/Mc*'
Advertising:
