Collections

Attention

This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json/requirements.txt before it reaches 1.0.0.

IAM Floyd provides commonly used statement collections. These can be called via:

new statement.Collection().allowEc2InstanceDeleteByOwner();
statements = statement.Collection().allow_ec2_instance_delete_by_owner()
{
    "Action": [
        "ec2:StartInstances"
    ],
    "Condition": {
        "StringLike": {
            "aws:RequestTag/Owner": "${aws:username}"
        }
    },
    "Effect": "Allow",
    "Resource": [
        "*"
    ]
}
{
    "Action": [
        "ec2:StopInstances"
    ],
    "Condition": {
        "StringLike": {
            "ec2:ResourceTag/Owner": "${aws:username}"
        }
    },
    "Effect": "Allow",
    "Resource": [
        "*"
    ]
}

Collections return a list of statements, which then can be used in a policy like this:

const policy = {
  Version: '2012-10-17',
  Statement: [...new statement.Collection().allowEc2InstanceDeleteByOwner()],
};
statements = statement.Collection().allow_ec2_instance_delete_by_owner()
policy = {
    'Version': '2012-10-17',
    'Statement': list(map(lambda x: x.to_json(), statements)),
}
{
    "Statement": [
        {
            "Action": [
                "ec2:StartInstances"
            ],
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Owner": "${aws:username}"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "ec2:StopInstances"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Owner": "${aws:username}"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Available collections

allowEc2InstanceDeleteByOwner

Allows stopping EC2 instance only for the user who started them.