ExamplesΒΆ
Attention
This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json
/requirements.txt
before it reaches 1.0.0.
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('Owner', '${aws:username}'),
new statement.Ec2()
.allow()
.toStopInstances()
.ifResourceTag('Owner', '${aws:username}'),
new statement.Ec2() //
.allow()
.allListActions()
.allReadActions(),
],
};
policy = {
'Version': '2012-10-17',
'Statement': [
statement.Ec2()
.allow()
.to_start_instances()
.if_aws_request_tag('Owner', '${aws:username}')
.to_json(),
statement.Ec2()
.allow()
.to_stop_instances()
.if_resource_tag('Owner', '${aws:username}')
.to_json(),
statement.Ec2()
.allow()
.all_list_actions()
.all_read_actions()
.to_json()
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringLike": {
"aws:RequestTag/Owner": "${aws:username}"
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
},
"Action": "ec2:StopInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAggregateIdFormat",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeBundleTasks",
"ec2:DescribeByoipCidrs",
"ec2:DescribeCapacityReservations",
"ec2:DescribeCarrierGateways",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeCoipPools",
"ec2:DescribeConversionTasks",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeElasticGpus",
"ec2:DescribeExportImageTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeFastSnapshotRestores",
"ec2:DescribeFleetHistory",
"ec2:DescribeFleetInstances",
"ec2:DescribeFleets",
"ec2:DescribeFlowLogs",
"ec2:DescribeFpgaImageAttribute",
"ec2:DescribeFpgaImages",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeHostReservations",
"ec2:DescribeHosts",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeIdFormat",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceEventNotificationAttributes",
"ec2:DescribeInstanceEventWindows",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeIpv6Pools",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
"ec2:DescribeLocalGatewayRouteTableVpcAssociations",
"ec2:DescribeLocalGatewayRouteTables",
"ec2:DescribeLocalGatewayVirtualInterfaceGroups",
"ec2:DescribeLocalGatewayVirtualInterfaces",
"ec2:DescribeLocalGateways",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeMovingAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInsightsAnalyses",
"ec2:DescribeNetworkInsightsPaths",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribePrincipalIdFormat",
"ec2:DescribePublicIpv4Pools",
"ec2:DescribeRegions",
"ec2:DescribeReplaceRootVolumeTasks",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeScheduledInstanceAvailability",
"ec2:DescribeScheduledInstances",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeStoreImageTasks",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTrafficMirrorFilters",
"ec2:DescribeTrafficMirrorSessions",
"ec2:DescribeTrafficMirrorTargets",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayConnectPeers",
"ec2:DescribeTransitGatewayConnects",
"ec2:DescribeTransitGatewayMulticastDomains",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTrunkInterfaceAssociations",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:ExportClientVpnClientConfiguration",
"ec2:GetAssociatedEnclaveCertificateIamRoles",
"ec2:GetAssociatedIpv6PoolCidrs",
"ec2:GetCapacityReservationUsage",
"ec2:GetCoipPoolUsage",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot",
"ec2:GetDefaultCreditSpecification",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetFlowLogsIntegrationTemplate",
"ec2:GetGroupsForCapacityReservation",
"ec2:GetHostReservationPurchasePreview",
"ec2:GetLaunchTemplateData",
"ec2:GetManagedPrefixListAssociations",
"ec2:GetManagedPrefixListEntries",
"ec2:GetPasswordData",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:GetSerialConsoleAccessStatus",
"ec2:GetSubnetCidrReservations",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayMulticastDomainAssociations",
"ec2:GetTransitGatewayPrefixListReferences",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:GetVpnConnectionDeviceSampleConfiguration",
"ec2:GetVpnConnectionDeviceTypes",
"ec2:SearchLocalGatewayRoutes",
"ec2:SearchTransitGatewayMulticastGroups",
"ec2:SearchTransitGatewayRoutes"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Cloudformation() // allow all CFN actions
.allow()
.allActions(),
new statement.All() // allow absolutely everything that is triggered via CFN
.allow()
.allActions()
.ifAwsCalledVia('cloudformation.amazonaws.com'),
new statement.S3() // allow access to the CDK staging bucket
.allow()
.allActions()
.on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
new statement.Account() // even when triggered via CFN, do not allow modifications of the account
.deny()
.allPermissionManagementActions()
.allWriteActions(),
new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
.deny()
.allPermissionManagementActions()
.allWriteActions(),
],
};
policy = {
'Version': '2012-10-17',
'Statement': [
# allow all CFN actions
statement.Cloudformation() \
.allow() \
.all_actions() \
.to_json(),
# allow access to the CDK staging bucket
statement.All() \
.allow() \
.all_actions() \
.if_aws_called_via('cloudformation.amazonaws.com') \
.to_json(),
# allow access to the CDK staging bucket
statement.S3() \
.allow() \
.all_actions() \
.on('arn:aws:s3:::cdktoolkit-stagingbucket-*') \
.to_json(),
# even when triggered via CFN, do not allow modifications of the
# account
statement.Account() \
.deny() \
.all_permission_management_actions() \
.all_write_actions() \
.to_json(),
# even when triggered via CFN, do not allow modifications of the
# organization
statement.Organizations() \
.deny() \
.all_permission_management_actions() \
.all_write_actions() \
.to_json()
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudformation:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "cloudformation.amazonaws.com"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
},
{
"Action": [
"account:DeleteAlternateContact",
"account:DisableRegion",
"account:EnableRegion",
"account:PutAlternateContact"
],
"Resource": "*",
"Effect": "Deny"
},
{
"Action": [
"organizations:AcceptHandshake",
"organizations:AttachPolicy",
"organizations:CancelHandshake",
"organizations:CreateAccount",
"organizations:CreateGovCloudAccount",
"organizations:CreateOrganization",
"organizations:CreateOrganizationalUnit",
"organizations:CreatePolicy",
"organizations:DeclineHandshake",
"organizations:DeleteOrganization",
"organizations:DeleteOrganizationalUnit",
"organizations:DeletePolicy",
"organizations:DeregisterDelegatedAdministrator",
"organizations:DetachPolicy",
"organizations:DisableAWSServiceAccess",
"organizations:DisablePolicyType",
"organizations:EnableAWSServiceAccess",
"organizations:EnableAllFeatures",
"organizations:EnablePolicyType",
"organizations:InviteAccountToOrganization",
"organizations:LeaveOrganization",
"organizations:MoveAccount",
"organizations:RegisterDelegatedAdministrator",
"organizations:RemoveAccountFromOrganization",
"organizations:UpdateOrganizationalUnit",
"organizations:UpdatePolicy"
],
"Resource": "*",
"Effect": "Deny"
}
]
}