Skip to content

Commit 1a919d1

Browse files
cmilesbcmilesb
authored
Merge pull request #1764 from redis/embed-external
RC: Replace BYOC policy files with external references
2 parents 93b882d + 3109ec1 commit 1a919d1

File tree

1 file changed

+2
-327
lines changed
  • content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources

1 file changed

+2
-327
lines changed

content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md

Lines changed: 2 additions & 327 deletions
Original file line numberDiff line numberDiff line change
@@ -29,82 +29,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
2929
- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsInstanceRolePolicy.json policy file:
3030

3131
{{< scrollable-code >}}
32-
```js
33-
{
34-
"Version": "2012-10-17",
35-
"Statement": [
36-
{
37-
"Sid": "DescribeReadOnlyEc2Resources",
38-
"Effect": "Allow",
39-
"Action": [
40-
"ec2:DescribeAvailabilityZones",
41-
"ec2:DescribeRegions",
42-
"ec2:DescribeSecurityGroups",
43-
"ec2:DescribeTags",
44-
"ec2:DescribeVolumes"
45-
],
46-
"Resource": [
47-
"*"
48-
]
49-
},
50-
{
51-
"Sid": "EC2EBSActions",
52-
"Effect": "Allow",
53-
"Action": [
54-
"ec2:AttachVolume",
55-
"ec2:CreateVolume"
56-
],
57-
"Resource": [
58-
"*"
59-
],
60-
"Condition": {
61-
"StringEquals": {
62-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
63-
}
64-
}
65-
},
66-
{
67-
"Sid": "SecurityGroupAccessActions",
68-
"Effect": "Allow",
69-
"Action": [
70-
"ec2:AuthorizeSecurityGroupIngress",
71-
"ec2:DeleteSecurityGroup"
72-
],
73-
"Resource": "*",
74-
"Condition": {
75-
"StringEquals": {
76-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
77-
}
78-
}
79-
},
80-
{
81-
"Sid": "TagResourcesCreation",
82-
"Effect": "Allow",
83-
"Action": [
84-
"ec2:CreateTags"
85-
],
86-
"Resource": [
87-
"*"
88-
]
89-
},
90-
{
91-
"Sid": "TagResourcesDelete",
92-
"Effect": "Allow",
93-
"Action": [
94-
"ec2:DeleteTags"
95-
],
96-
"Resource": [
97-
"*"
98-
],
99-
"Condition": {
100-
"StringEquals": {
101-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
102-
}
103-
}
104-
}
105-
]
106-
}
107-
```
32+
{{< external-json "https://raw.githubusercontent.com/Redislabs-Solution-Architects/cloudformation-aws-Redislabs-Cloud-Account-IAM-Resources/refs/heads/master/RedisLabsInstanceRolePolicy.json" >}}
10833
{{< /scrollable-code >}}
10934

11035
- In **Review and Create**, enter `RedisLabsInstanceRolePolicy` in the **Policy name** field.
@@ -135,257 +60,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
13560
- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file:
13661

13762
{{< scrollable-code >}}
138-
```json
139-
{
140-
"Version": "2012-10-17",
141-
"Statement": [
142-
{
143-
"Sid": "DescribeReadOnlyEc2Resources",
144-
"Effect": "Allow",
145-
"Action": [
146-
"ec2:DescribeAvailabilityZones",
147-
"ec2:DescribeInstanceTypeOfferings",
148-
"ec2:DescribeRegions",
149-
"ec2:DescribeInstances",
150-
"ec2:DescribeVolumes",
151-
"ec2:DescribeSnapshots",
152-
"ec2:DescribeVpcs",
153-
"ec2:DescribeSubnets",
154-
"ec2:DescribeSecurityGroups",
155-
"ec2:DescribeRouteTables",
156-
"ec2:DescribeInternetGateways",
157-
"ec2:DescribeImages",
158-
"ec2:DescribeTransitGatewayVpcAttachments",
159-
"ec2:DescribeVpcPeeringConnections",
160-
"ec2:DescribeKeyPairs",
161-
"ec2:DescribeTransitGateways",
162-
"ec2:DescribeInstanceStatus",
163-
"ec2:DescribeNetworkAcls"
164-
],
165-
"Resource": "*"
166-
},
167-
{
168-
"Sid": "CloudWatchReadOnly",
169-
"Effect": "Allow",
170-
"Action": [
171-
"cloudwatch:Describe*",
172-
"cloudwatch:Get*",
173-
"cloudwatch:List*"
174-
],
175-
"Resource": "*"
176-
},
177-
{
178-
"Sid": "IamUserOperations",
179-
"Effect": "Allow",
180-
"Action": [
181-
"iam:GetUser",
182-
"iam:GetUserPolicy",
183-
"iam:ChangePassword"
184-
],
185-
"Resource": "arn:aws:iam::*:user/${aws:username}"
186-
},
187-
{
188-
"Sid": "RolePolicyUserReadActions",
189-
"Action": [
190-
"iam:GetRole",
191-
"iam:GetPolicy",
192-
"iam:ListUsers",
193-
"iam:ListPolicies",
194-
"iam:ListRolePolicies",
195-
"iam:ListAttachedRolePolicies",
196-
"iam:ListInstanceProfiles",
197-
"iam:ListInstanceProfilesForRole",
198-
"iam:SimulatePrincipalPolicy"
199-
],
200-
"Effect": "Allow",
201-
"Resource": "*"
202-
},
203-
{
204-
"Sid": "PassRlClusterNodeRole",
205-
"Effect": "Allow",
206-
"Action": "iam:PassRole",
207-
"Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
208-
},
209-
{
210-
"Sid": "CreateEc2ResourcesWithoutTag",
211-
"Effect": "Allow",
212-
"Action": [
213-
"ec2:CreateTags",
214-
"ec2:RunInstances",
215-
"ec2:ImportKeyPair",
216-
"ec2:CreateKeyPair",
217-
"ec2:CreateVpc",
218-
"ec2:CreateSecurityGroup",
219-
"ec2:CreateInternetGateway",
220-
"ec2:CreateRouteTable",
221-
"ec2:CreateSubnet",
222-
"ec2:CreateSnapshot",
223-
"ec2:CreateTransitGateway",
224-
"ec2:AssociateVpcCidrBlock",
225-
"ec2:CreateTransitGatewayVpcAttachment",
226-
"ec2:AttachInternetGateway",
227-
"ec2:ReplaceRoute"
228-
],
229-
"Resource": "*"
230-
},
231-
{
232-
"Sid": "ForceUnderlyingResourcesToHaveIdentifierTags",
233-
"Effect": "Deny",
234-
"Action": [
235-
"ec2:RunInstances",
236-
"ec2:CreateKeyPair"
237-
],
238-
"Resource": [
239-
"arn:aws:ec2:*:*:instance/*",
240-
"arn:aws:ec2:*:*:volume/*",
241-
"arn:aws:ec2:*:*:keypair/*"
242-
],
243-
"Condition": {
244-
"Null": {
245-
"aws:RequestTag/RedisLabsIdentifier": "true"
246-
}
247-
}
248-
},
249-
{
250-
"Sid": "AllowVpcPeeringManagement",
251-
"Effect": "Allow",
252-
"Action": [
253-
"ec2:CreateVpcPeeringConnection",
254-
"ec2:AcceptVpcPeeringConnection"
255-
],
256-
"Resource": "*"
257-
},
258-
{
259-
"Sid": "AllowVpcPeeringDeletion",
260-
"Effect": "Allow",
261-
"Action": [
262-
"ec2:DeleteVpcPeeringConnection"
263-
],
264-
"Resource": "*",
265-
"Condition": {
266-
"StringEquals": {
267-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
268-
}
269-
}
270-
},
271-
{
272-
"Sid": "CreateEc2Resources",
273-
"Effect": "Allow",
274-
"Action": [
275-
"ec2:CreateVolume",
276-
"ec2:CreateRoute",
277-
"ec2:AuthorizeSecurityGroupIngress",
278-
"ec2:AuthorizeSecurityGroupEgress"
279-
],
280-
"Resource": "*",
281-
"Condition": {
282-
"StringEquals": {
283-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
284-
}
285-
}
286-
},
287-
{
288-
"Sid": "ModifyEc2Resources",
289-
"Effect": "Allow",
290-
"Action": [
291-
"ec2:AttachVolume",
292-
"ec2:ModifyInstanceAttribute",
293-
"ec2:ModifySubnetAttribute",
294-
"ec2:AssociateRouteTable",
295-
"ec2:StartInstances",
296-
"ec2:StopInstances",
297-
"ec2:RebootInstances"
298-
],
299-
"Resource": "*",
300-
"Condition": {
301-
"StringEquals": {
302-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
303-
}
304-
}
305-
},
306-
{
307-
"Sid": "DeleteEc2Resources",
308-
"Effect": "Allow",
309-
"Action": [
310-
"ec2:TerminateInstances",
311-
"ec2:DeleteVolume",
312-
"ec2:DeleteSnapshot",
313-
"ec2:DetachVolume",
314-
"ec2:DeleteKeyPair",
315-
"ec2:DeleteTags",
316-
"ec2:DeleteSubnet",
317-
"ec2:DeleteSecurityGroup",
318-
"ec2:DeleteRouteTable",
319-
"ec2:DeleteRoute",
320-
"ec2:DeleteInternetGateway",
321-
"ec2:DeleteVpc"
322-
],
323-
"Resource": "*",
324-
"Condition": {
325-
"StringEquals": {
326-
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
327-
}
328-
}
329-
},
330-
{
331-
"Sid": "DeleteEc2ResourcesWithoutTag",
332-
"Effect": "Allow",
333-
"Action": [
334-
"ec2:RevokeSecurityGroupIngress",
335-
"ec2:RejectVpcPeeringConnection",
336-
"ec2:DeleteTransitGatewayVpcAttachment",
337-
"ec2:DeleteTransitGateway",
338-
"ec2:DetachInternetGateway"
339-
],
340-
"Resource": "*"
341-
},
342-
{
343-
"Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway",
344-
"Effect": "Allow",
345-
"Action": "iam:CreateServiceLinkedRole",
346-
"Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*",
347-
"Condition": {
348-
"StringLike": {
349-
"iam:AWSServiceName": "transitgateway.amazonaws.com"
350-
}
351-
}
352-
},
353-
{
354-
"Sid": "RolePolicyForTransitGateway",
355-
"Effect": "Allow",
356-
"Action": [
357-
"iam:AttachRolePolicy",
358-
"iam:PutRolePolicy"
359-
],
360-
"Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*"
361-
},
362-
{
363-
"Sid": "AllowEncryptedVolumeCreation",
364-
"Effect": "Allow",
365-
"Action": [
366-
"kms:GenerateDataKeyWithoutPlaintext",
367-
"kms:DescribeKey"
368-
],
369-
"Resource": "*"
370-
},
371-
{
372-
"Sid": "AllowAttachDetachOfEncryptedVolumes",
373-
"Effect": "Allow",
374-
"Action": [
375-
"kms:CreateGrant",
376-
"kms:ListGrants",
377-
"kms:RevokeGrant"
378-
],
379-
"Resource": "*",
380-
"Condition": {
381-
"Bool": {
382-
"kms:GrantIsForAWSResource": "true"
383-
}
384-
}
385-
}
386-
]
387-
}
388-
```
63+
{{< external-json "https://raw.githubusercontent.com/Redislabs-Solution-Architects/cloudformation-aws-Redislabs-Cloud-Account-IAM-Resources/refs/heads/master/RedislabsIAMUserRestrictedPolicy.json" >}}
38964
{{< /scrollable-code >}}
39065

39166
- In **Review and Create**, enter `RedislabsIAMUserRestrictedPolicy` in the **Policy name** field.

0 commit comments

Comments
 (0)