Skip to content

Commit 1df672a

Browse files
devksingh4devksingh4
committed
cleanup IAM permissions
1 parent a2158cc commit 1df672a

File tree

2 files changed

+129
-46
lines changed

2 files changed

+129
-46
lines changed

cloudformation/iam.yml

Lines changed: 125 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Parameters:
1515
SqsQueueArn:
1616
Type: String
1717
Resources:
18-
ApiLambdaIAMRole:
18+
SqsLambdaIAMRole:
1919
Type: AWS::IAM::Role
2020
Properties:
2121
ManagedPolicyArns:
@@ -30,28 +30,89 @@ Resources:
3030
Service:
3131
- lambda.amazonaws.com
3232
Policies:
33+
- PolicyDocument:
34+
Version: "2012-10-17"
35+
Statement:
36+
- Action:
37+
- ses:SendEmail
38+
- ses:SendRawEmail
39+
Effect: Allow
40+
Resource: "*"
41+
Condition:
42+
StringEquals:
43+
ses:FromAddress:
44+
Fn::Sub: "membership@${SesEmailDomain}"
45+
ForAllValues:StringLike:
46+
ses:Recipients:
47+
- "*@illinois.edu"
48+
PolicyName: ses-membership
3349
- PolicyDocument:
3450
Version: "2012-10-17"
3551
Statement:
3652
- Action:
37-
- ses:SendEmail
38-
- ses:SendRawEmail
53+
- logs:CreateLogGroup
54+
- logs:CreateLogStream
55+
- logs:PutLogEvents
56+
Effect: Allow
57+
Resource:
58+
- Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*
59+
- PolicyDocument:
60+
Version: 2012-10-17
61+
Statement:
62+
- Action:
63+
- secretsmanager:GetSecretValue
3964
Effect: Allow
65+
Resource:
66+
- Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
67+
PolicyName: lambda-db-secrets
68+
69+
- PolicyDocument:
70+
Version: 2012-10-17
71+
Statement:
72+
- Sid: DynamoDBTableAccess
73+
Effect: Allow
74+
Action:
75+
- dynamodb:BatchGetItem
76+
- dynamodb:BatchWriteItem
77+
- dynamodb:ConditionCheckItem
78+
- dynamodb:PutItem
79+
- dynamodb:DescribeTable
80+
- dynamodb:DeleteItem
81+
- dynamodb:GetItem
82+
- dynamodb:Scan
83+
- dynamodb:Query
84+
- dynamodb:UpdateItem
85+
Resource:
86+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache
87+
88+
- Sid: DynamoDBDescribeLimitsAccess
89+
Effect: Allow
90+
Action:
91+
- dynamodb:DescribeLimits
4092
Resource: "*"
41-
Condition:
42-
StringEquals:
43-
ses:FromAddress: !Sub "membership@${SesEmailDomain}"
44-
ForAllValues:StringLike:
45-
ses:Recipients:
46-
- "*@illinois.edu"
47-
PolicyName: ses-membership
93+
PolicyName: lambda-dynamo
94+
95+
ApiLambdaIAMRole:
96+
Type: AWS::IAM::Role
97+
Properties:
98+
AssumeRolePolicyDocument:
99+
Version: "2012-10-17"
100+
Statement:
101+
- Action:
102+
- sts:AssumeRole
103+
Effect: Allow
104+
Principal:
105+
Service:
106+
- lambda.amazonaws.com
107+
Policies:
48108
- PolicyDocument:
49109
Version: "2012-10-17"
50110
Statement:
51111
- Action:
52112
- sqs:SendMessage
53113
Effect: Allow
54-
Resource: !Ref SqsQueueArn
114+
Resource:
115+
Fn::Ref: SqsQueueArn
55116
PolicyName: lambda-sqs
56117
- PolicyDocument:
57118
Version: "2012-10-17"
@@ -63,16 +124,6 @@ Resources:
63124
Effect: Allow
64125
Resource:
65126
- Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*
66-
- Effect: Allow
67-
Action:
68-
- ec2:CreateNetworkInterface
69-
- ec2:DescribeNetworkInterfaces
70-
- ec2:DeleteNetworkInterface
71-
- ec2:DescribeSubnets
72-
- ec2:DeleteNetworkInterface
73-
- ec2:AssignPrivateIpAddresses
74-
- ec2:UnassignPrivateIpAddresses
75-
Resource: "*"
76127
PolicyName: lambda
77128
- PolicyDocument:
78129
Version: 2012-10-17
@@ -81,36 +132,60 @@ Resources:
81132
- secretsmanager:GetSecretValue
82133
Effect: Allow
83134
Resource:
84-
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
135+
- Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
85136
PolicyName: lambda-db-secrets
86137
- PolicyDocument:
87138
Version: 2012-10-17
88139
Statement:
89-
- Action:
90-
- dynamodb:*
140+
- Sid: DynamoDBIndexAccess
91141
Effect: Allow
142+
Action:
143+
- dynamodb:Query
144+
Resource:
145+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links/index/*
146+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events/index/*
147+
148+
- Sid: DynamoDBStreamAccess
149+
Effect: Allow
150+
Action:
151+
- dynamodb:GetShardIterator
152+
- dynamodb:DescribeStream
153+
- dynamodb:GetRecords
154+
- dynamodb:ListStreams
92155
Resource:
93-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events/*
94-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events
95-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache
96-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache/*
97-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-purchase-history/*
98-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-purchase-history
99-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-tickets
100-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-tickets/*
101-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-ticketing-metadata/*
102-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-ticketing-metadata
103-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-metadata/*
104-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-metadata
105-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-userroles
106-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-userroles/*
107-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles
108-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles/*
109-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links
110-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links/*
111-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-provisioning
112-
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-provisioning/*
156+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links/stream/*
157+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events/stream/*
113158

159+
- Sid: DynamoDBTableAccess
160+
Effect: Allow
161+
Action:
162+
- dynamodb:BatchGetItem
163+
- dynamodb:BatchWriteItem
164+
- dynamodb:ConditionCheckItem
165+
- dynamodb:PutItem
166+
- dynamodb:DescribeTable
167+
- dynamodb:DeleteItem
168+
- dynamodb:GetItem
169+
- dynamodb:Scan
170+
- dynamodb:Query
171+
- dynamodb:UpdateItem
172+
Resource:
173+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events
174+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache
175+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-purchase-history
176+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-tickets
177+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-events-ticketing-metadata
178+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-merchstore-metadata
179+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-userroles
180+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles
181+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links
182+
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-provisioning
183+
184+
- Sid: DynamoDBDescribeLimitsAccess
185+
Effect: Allow
186+
Action:
187+
- dynamodb:DescribeLimits
188+
Resource: "*"
114189
PolicyName: lambda-dynamo
115190
Outputs:
116191
MainFunctionRoleArn:
@@ -119,3 +194,9 @@ Outputs:
119194
Fn::GetAtt:
120195
- ApiLambdaIAMRole
121196
- Arn
197+
SqsFunctionRoleArn:
198+
Description: Sqs IAM role ARN
199+
Value:
200+
Fn::GetAtt:
201+
- SqsLambdaIAMRole
202+
- Arn

cloudformation/main.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -216,8 +216,10 @@ Resources:
216216
FunctionName: !Sub ${ApplicationPrefix}-sqs-lambda
217217
Handler: index.handler
218218
MemorySize: 512
219-
Role: !GetAtt AppSecurityRoles.Outputs.MainFunctionRoleArn
220-
Timeout: !Ref SqsLambdaTimeout
219+
Role:
220+
Fn::GetAtt: AppSecurityRoles.Outputs.SqsFunctionRoleArn
221+
Timeout:
222+
Fn::Ref: SqsLambdaTimeout
221223
LoggingConfig:
222224
LogGroup: !Sub /aws/lambda/${ApplicationPrefix}-lambda
223225
Environment:

0 commit comments

Comments
 (0)