-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathec2emr-iam-resources.yaml
220 lines (217 loc) · 7.6 KB
/
ec2emr-iam-resources.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
AWSTemplateFormatVersion: '2010-09-09'
Description: >
Creates a role for reseachers to use EC2 (full access) and EMR. Also derived from arn:aws:iam::aws:policy/job-function/DataScientist. Also creates an IAM group with similar privileges.
Parameters:
BucketPrefixParameter:
Type: String
Default: cu-ec2emr
Description: Bucket name prefix to scope S3 operations. E.g. "xyz" will restrict bucket access/operations to any buckets beginning with "zyx".
Resources:
EC2EMRRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: shib-ec2emr
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Federated: !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/cornell_idp"
Action: "sts:AssumeRoleWithSAML"
Condition:
StringEquals:
SAML:aud: "https://signin.aws.amazon.com/saml"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- !Ref ScopeRegionsUSEastPolicy
- !Ref LimitedEMRPolicy
EC2EMRGroup:
Type: AWS::IAM::Group
Properties:
GroupName: ec2emr-users
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- !Ref ScopeRegionsUSEastPolicy
- !Ref LimitedEMRPolicy
- !Ref ForceMFAPolicy
# Path: String
# Policies:
# - Policies
ScopeRegionsUSEastPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: scope-regions-us-east
Description: Deny operations except in us-east-1, us-east-2
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Condition:
StringNotEquals:
aws:RequestedRegion:
- us-east-1
- us-east-2
Action:
- elasticmapreduce:*
- ec2:*
- elasticloadbalancing:*
- cloudwatch:*
- autoscaling:*
- sns:*
- logs:*
- cloudformation:*
- kms:*
- s3:*
Resource: "*"
Effect: Deny
LimitedEMRPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: limited-emr-access
Description: A subset of EMR permissions based on AmazonElasticMapReduceFullAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- cloudformation:CreateStack
- cloudformation:DescribeStackEvents
- elasticmapreduce:*
- iam:GetInstanceProfile
- iam:GetRole
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:ListUsers
- iam:ListPolicies
- iam:ListRoles
- iam:ListInstanceProfiles
- kms:List*
- s3:ListAllMyBuckets
- sns:CreateTopic
- sns:Get*
- sns:List*
- logs:DescribeLogStreams
- logs:GetLogEvents
Effect: Allow
Resource: "*"
-
Effect: Allow
Action:
- s3:CreateBucket
- s3:Abort*
- s3:DeleteObject
- s3:Get*
- s3:List*
- s3:PutAccelerateConfiguration
- s3:PutBucketLogging
- s3:PutBucketNotification
- s3:PutBucketTagging
- s3:PutObject
- s3:Replicate*
- s3:RestoreObject
Resource:
- !Sub "arn:aws:s3:::${BucketPrefixParameter}*"
-
Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource:
- arn:aws:iam::*:role/DataPipelineDefaultRole
- arn:aws:iam::*:role/DataPipelineDefaultResourceRole
- arn:aws:iam::*:role/EMR_EC2_DefaultRole
- arn:aws:iam::*:role/EMR_DefaultRole
- arn:aws:iam::*:role/kinesis-*
- arn:aws:iam::*:role/aws-ec2-spot-fleet-role
- arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role
-
Effect: Allow
Action: iam:CreateServiceLinkedRole
Resource: "*"
Condition:
StringLike:
iam:AWSServiceName:
- elasticmapreduce.amazonaws.com
ForceMFAPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: self-manage-iam-force-mfa
Description: Allow IAM users to manage their own credentials; require MFA; based on https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowAllUsersToListAccounts
Effect: Allow
Action:
- iam:ListAccountAliases
- iam:ListUsers
- iam:ListVirtualMFADevices
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
Resource: "*"
- Sid: AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation
Effect: Allow
Action:
- iam:ChangePassword
- iam:CreateAccessKey
- iam:CreateLoginProfile
- iam:DeleteAccessKey
- iam:DeleteLoginProfile
- iam:GetLoginProfile
- iam:ListAccessKeys
- iam:UpdateAccessKey
- iam:UpdateLoginProfile
- iam:ListSigningCertificates
- iam:DeleteSigningCertificate
- iam:UpdateSigningCertificate
- iam:UploadSigningCertificate
- iam:ListSSHPublicKeys
- iam:GetSSHPublicKey
- iam:DeleteSSHPublicKey
- iam:UpdateSSHPublicKey
- iam:UploadSSHPublicKey
Resource: arn:aws:iam::*:user/${aws:username}
- Sid: AllowIndividualUserToViewAndManageTheirOwnMFA
Effect: Allow
Action:
- iam:CreateVirtualMFADevice
- iam:DeleteVirtualMFADevice
- iam:EnableMFADevice
- iam:ListMFADevices
- iam:ResyncMFADevice
Resource:
- arn:aws:iam::*:mfa/${aws:username}
- arn:aws:iam::*:user/${aws:username}
- Sid: AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA
Effect: Allow
Action:
- iam:DeactivateMFADevice
Resource:
- arn:aws:iam::*:mfa/${aws:username}
- arn:aws:iam::*:user/${aws:username}
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
- Sid: BlockMostAccessUnlessSignedInWithMFA
Effect: Deny
NotAction:
- iam:CreateVirtualMFADevice
- iam:DeleteVirtualMFADevice
- iam:ListVirtualMFADevices
- iam:EnableMFADevice
- iam:ResyncMFADevice
- iam:ListAccountAliases
- iam:ListUsers
- iam:ListSSHPublicKeys
- iam:ListAccessKeys
- iam:ListServiceSpecificCredentials
- iam:ListMFADevices
- iam:GetAccountSummary
- sts:GetSessionToken
- iam:ChangePassword
- iam:CreateLoginProfile
Resource: "*"
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'false'