ExamplesΒΆ
Attention
This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json
/requirements.txt
before it reaches 1.0.0.
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('Owner', '${aws:username}'),
new statement.Ec2()
.allow()
.toStopInstances()
.ifResourceTag('Owner', '${aws:username}'),
new statement.Ec2() //
.allow()
.allListActions()
.allReadActions(),
],
};
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('Owner', '${aws:username}'),
new statement.Ec2()
.allow()
.toStopInstances()
.ifResourceTag('Owner', '${aws:username}'),
new statement.Ec2() //
.allow()
.allListActions()
.allReadActions(),
],
};
policy = {
'Version': '2012-10-17',
'Statement': [
statement.Ec2()
.allow()
.to_start_instances()
.if_aws_request_tag('Owner', '${aws:username}')
.to_json(),
statement.Ec2()
.allow()
.to_stop_instances()
.if_resource_tag('Owner', '${aws:username}')
.to_json(),
statement.Ec2()
.allow()
.all_list_actions()
.all_read_actions()
.to_json()
]
}
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Cloudformation() // allow all CFN actions
.allow()
.allActions(),
new statement.All() // allow absolutely everything that is triggered via CFN
.allow()
.allActions()
.ifAwsCalledVia('cloudformation.amazonaws.com'),
new statement.S3() // allow access to the CDK staging bucket
.allow()
.allActions()
.on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
new statement.Account() // even when triggered via CFN, do not allow modifications of the account
.deny()
.allPermissionManagementActions()
.allWriteActions(),
new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
.deny()
.allPermissionManagementActions()
.allWriteActions(),
],
};
const policy = {
Version: '2012-10-17',
Statement: [
new statement.Cloudformation() // allow all CFN actions
.allow()
.allActions(),
new statement.All() // allow absolutely everything that is triggered via CFN
.allow()
.allActions()
.ifAwsCalledVia('cloudformation.amazonaws.com'),
new statement.S3() // allow access to the CDK staging bucket
.allow()
.allActions()
.on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
new statement.Account() // even when triggered via CFN, do not allow modifications of the account
.deny()
.allPermissionManagementActions()
.allWriteActions(),
new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
.deny()
.allPermissionManagementActions()
.allWriteActions(),
],
};
policy = {
'Version': '2012-10-17',
'Statement': [
# allow all CFN actions
statement.Cloudformation() \
.allow() \
.all_actions() \
.to_json(),
# allow access to the CDK staging bucket
statement.All() \
.allow() \
.all_actions() \
.if_aws_called_via('cloudformation.amazonaws.com') \
.to_json(),
# allow access to the CDK staging bucket
statement.S3() \
.allow() \
.all_actions() \
.on('arn:aws:s3:::cdktoolkit-stagingbucket-*') \
.to_json(),
# even when triggered via CFN, do not allow modifications of the
# account
statement.Account() \
.deny() \
.all_permission_management_actions() \
.all_write_actions() \
.to_json(),
# even when triggered via CFN, do not allow modifications of the
# organization
statement.Organizations() \
.deny() \
.all_permission_management_actions() \
.all_write_actions() \
.to_json()
]
}