ExamplesΒΆ

Attention

This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json/requirements.txt before it reaches 1.0.0.

const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Ec2()
      .allow()
      .toStartInstances()
      .ifAwsRequestTag('Owner', '${aws:username}'),
    new statement.Ec2()
      .allow()
      .toStopInstances()
      .ifResourceTag('Owner', '${aws:username}'),
    new statement.Ec2() //
      .allow()
      .allListActions()
      .allReadActions(),
  ],
};
policy = {
        'Version': '2012-10-17',
        'Statement': [
            statement.Ec2()
                .allow()
                .to_start_instances()
                .if_aws_request_tag('Owner', '${aws:username}')
                .to_json(),
            statement.Ec2()
                .allow()
                .to_stop_instances()
                .if_resource_tag('Owner', '${aws:username}')
                .to_json(),
            statement.Ec2()
                .allow()
                .all_list_actions()
                .all_read_actions()
                .to_json()
        ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Owner": "${aws:username}"
                }
            },
            "Action": "ec2:StartInstances",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Owner": "${aws:username}"
                }
            },
            "Action": "ec2:StopInstances",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAggregateIdFormat",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeBundleTasks",
                "ec2:DescribeByoipCidrs",
                "ec2:DescribeCapacityReservations",
                "ec2:DescribeCarrierGateways",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeClientVpnAuthorizationRules",
                "ec2:DescribeClientVpnConnections",
                "ec2:DescribeClientVpnEndpoints",
                "ec2:DescribeClientVpnRoutes",
                "ec2:DescribeClientVpnTargetNetworks",
                "ec2:DescribeCoipPools",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeEgressOnlyInternetGateways",
                "ec2:DescribeElasticGpus",
                "ec2:DescribeExportImageTasks",
                "ec2:DescribeExportTasks",
                "ec2:DescribeFastSnapshotRestores",
                "ec2:DescribeFleetHistory",
                "ec2:DescribeFleetInstances",
                "ec2:DescribeFleets",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeFpgaImageAttribute",
                "ec2:DescribeFpgaImages",
                "ec2:DescribeHostReservationOfferings",
                "ec2:DescribeHostReservations",
                "ec2:DescribeHosts",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeIdFormat",
                "ec2:DescribeIdentityIdFormat",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstanceEventNotificationAttributes",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeIpv6Pools",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
                "ec2:DescribeLocalGatewayRouteTableVpcAssociations",
                "ec2:DescribeLocalGatewayRouteTables",
                "ec2:DescribeLocalGatewayVirtualInterfaceGroups",
                "ec2:DescribeLocalGatewayVirtualInterfaces",
                "ec2:DescribeLocalGateways",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeMovingAddresses",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfacePermissions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribePrefixLists",
                "ec2:DescribePrincipalIdFormat",
                "ec2:DescribePublicIpv4Pools",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeScheduledInstanceAvailability",
                "ec2:DescribeScheduledInstances",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSpotDatafeedSubscription",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorFilters",
                "ec2:DescribeTrafficMirrorSessions",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayMulticastDomains",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcEndpointConnectionNotifications",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:ExportClientVpnClientCertificateRevocationList",
                "ec2:ExportClientVpnClientConfiguration",
                "ec2:GetAssociatedEnclaveCertificateIamRoles",
                "ec2:GetAssociatedIpv6PoolCidrs",
                "ec2:GetCapacityReservationUsage",
                "ec2:GetCoipPoolUsage",
                "ec2:GetConsoleOutput",
                "ec2:GetConsoleScreenshot",
                "ec2:GetDefaultCreditSpecification",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:GetGroupsForCapacityReservation",
                "ec2:GetHostReservationPurchasePreview",
                "ec2:GetLaunchTemplateData",
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetPasswordData",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:GetTransitGatewayAttachmentPropagations",
                "ec2:GetTransitGatewayMulticastDomainAssociations",
                "ec2:GetTransitGatewayPrefixListReferences",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:SearchLocalGatewayRoutes",
                "ec2:SearchTransitGatewayMulticastGroups",
                "ec2:SearchTransitGatewayRoutes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Cloudformation() // allow all CFN actions
      .allow()
      .allActions(),
    new statement.All() // allow absolutely everything that is triggered via CFN
      .allow()
      .allActions()
      .ifAwsCalledVia('cloudformation.amazonaws.com'),
    new statement.S3() // allow access to the CDK staging bucket
      .allow()
      .allActions()
      .on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
    new statement.Account() // even when triggered via CFN, do not allow modifications of the account
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
    new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
  ],
};
policy = {
        'Version': '2012-10-17',
        'Statement': [
            # allow all CFN actions
            statement.Cloudformation() \
                .allow() \
                .all_actions() \
                .to_json(),
            # allow access to the CDK staging bucket
            statement.All() \
                .allow() \
                .all_actions() \
                .if_aws_called_via('cloudformation.amazonaws.com') \
                .to_json(),
            # allow access to the CDK staging bucket
            statement.S3() \
                .allow() \
                .all_actions() \
                .on('arn:aws:s3:::cdktoolkit-stagingbucket-*') \
                .to_json(),
            # even when triggered via CFN, do not allow modifications of the
            #  account
            statement.Account() \
                .deny() \
                .all_permission_management_actions() \
                .all_write_actions() \
                .to_json(),
            # even when triggered via CFN, do not allow modifications of the
            #  organization
            statement.Organizations() \
                .deny() \
                .all_permission_management_actions() \
                .all_write_actions() \
                .to_json()
        ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "cloudformation:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": "cloudformation.amazonaws.com"
                }
            },
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "account:DisableRegion",
                "account:EnableRegion"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": [
                "organizations:AcceptHandshake",
                "organizations:AttachPolicy",
                "organizations:CancelHandshake",
                "organizations:CreateAccount",
                "organizations:CreateGovCloudAccount",
                "organizations:CreateOrganization",
                "organizations:CreateOrganizationalUnit",
                "organizations:CreatePolicy",
                "organizations:DeclineHandshake",
                "organizations:DeleteOrganization",
                "organizations:DeleteOrganizationalUnit",
                "organizations:DeletePolicy",
                "organizations:DeregisterDelegatedAdministrator",
                "organizations:DetachPolicy",
                "organizations:DisableAWSServiceAccess",
                "organizations:DisablePolicyType",
                "organizations:EnableAWSServiceAccess",
                "organizations:EnableAllFeatures",
                "organizations:EnablePolicyType",
                "organizations:InviteAccountToOrganization",
                "organizations:LeaveOrganization",
                "organizations:MoveAccount",
                "organizations:RegisterDelegatedAdministrator",
                "organizations:RemoveAccountFromOrganization",
                "organizations:UpdateOrganizationalUnit",
                "organizations:UpdatePolicy"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}