AWS Default IAM Groups using Cloud Formation
6 min readI’ve created a default set of groups / roles using the base AWS Managed Policies for Full Access and Read Only Access.
Using cloudformation you can quickly create a set of groups and roles that should quickly satisfy security folks mindsets.
This does not include a “modify” set of groups. Still working on that.
Be mindful that when you create things using Cloud Formation it tags them with stack name at the front and then a unique random identifier at the end. So group names are essentially “random” and unclean”.
When scripting you could look for the strings inside the field to isolate a group however so it shouldn’t prove too hard.
When using a CloudFormation Stack Name of “IAM” the resulting groups look like this:
And the Roles like this:
Note not every AWS Service has Role capability hence why the list for roles is shorter.
The cloud formation template is as follows (it has Designer Meta in it yes):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Metadata": {
"AWS::CloudFormation::Designer": {
"bd66ae66-c199-4f4e-9222-d4c26f93cff3": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 120
},
"z": 1,
"embeds": []
},
"760347fd-69d3-40af-be21-5919c5980546": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 120
},
"z": 1,
"embeds": []
},
"ba9f003e-c9a0-4063-b5a3-f86d7f7dc523": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 120
},
"z": 1,
"embeds": []
},
"5bc0fb61-d841-4c4a-94c9-8fa5aff3ef15": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 570,
"y": 120
},
"z": 1,
"embeds": []
},
"d1a8c985-a934-4e45-b36e-3993803528b4": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 210
},
"z": 1,
"embeds": []
},
"a9bda8f6-2d83-476e-ab40-f70e0b0e9883": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 210
},
"z": 1,
"embeds": []
},
"1cdd12dc-9061-4b20-9866-ed0396302a4a": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 300
},
"z": 1,
"embeds": []
},
"03f89af3-a081-47cf-a7f4-949056024a70": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 300
},
"z": 1,
"embeds": []
},
"19e206e6-f27b-4bc8-90f7-1d4ff6372a31": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 300
},
"z": 1,
"embeds": []
},
"68cb6c4d-7666-4c53-bd18-2c0983fb4eda": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 570,
"y": 300
},
"z": 1,
"embeds": []
},
"21134562-3bcc-4d68-90c8-8fb148e60408": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 570,
"y": 570
},
"z": 1,
"embeds": []
},
"84807e2e-c16a-4073-aaf4-4f9e493ee27a": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 570
},
"z": 1,
"embeds": []
},
"9681b972-8278-4f63-ab52-7a829e2f4514": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 570
},
"z": 1,
"embeds": []
},
"9970a6b5-50a1-43a9-9d56-133b1d45501f": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 570
},
"z": 1,
"embeds": []
},
"b2cebb43-733e-424c-98d6-543f80b715b7": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 570,
"y": 480
},
"z": 1,
"embeds": []
},
"98e23bf6-bc0f-4816-84b4-08f399694276": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 480
},
"z": 1,
"embeds": []
},
"fb473763-6a82-44b3-b865-cfbec49f1395": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 480
},
"z": 1,
"embeds": []
},
"5f79ff11-747b-4c9c-a4ba-800bab94f4b5": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 480
},
"z": 1,
"embeds": []
},
"740c7167-eed5-4946-a505-12b1f9080b5b": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 570,
"y": 390
},
"z": 1,
"embeds": []
},
"17bb67d7-afb9-4f28-8ac1-21470764af99": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 390
},
"z": 1,
"embeds": []
},
"c812b0c9-d222-483c-af4f-28030a68d54c": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 480,
"y": 390
},
"z": 1,
"embeds": []
},
"60930cc9-a1d1-4b87-b5b1-56ebbc944014": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 390
},
"z": 1,
"embeds": []
},
"594711c7-ed51-4d2a-ac33-88ff02aec6d0": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 300,
"y": 30
},
"z": 1,
"embeds": []
},
"a67e5c9e-f217-462d-b8ae-b289b7ef2547": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 390,
"y": 30
},
"z": 1,
"embeds": []
}
}
},
"Resources": {
"EC2FullAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "ba9f003e-c9a0-4063-b5a3-f86d7f7dc523"
}
}
},
"EC2FullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "bd66ae66-c199-4f4e-9222-d4c26f93cff3"
}
}
},
"EC2ReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "760347fd-69d3-40af-be21-5919c5980546"
}
}
},
"EC2ReadOnlyAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "5bc0fb61-d841-4c4a-94c9-8fa5aff3ef15"
}
}
},
"IAMFullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/IAMFullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "d1a8c985-a934-4e45-b36e-3993803528b4"
}
}
},
"IAMReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/IAMReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a9bda8f6-2d83-476e-ab40-f70e0b0e9883"
}
}
},
"CloudTrailFullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCloudTrailFullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "1cdd12dc-9061-4b20-9866-ed0396302a4a"
}
}
},
"CloudTrailReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "03f89af3-a081-47cf-a7f4-949056024a70"
}
}
},
"CloudTrailFullAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCloudTrailFullAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "19e206e6-f27b-4bc8-90f7-1d4ff6372a31"
}
}
},
"CloudTrailReadOnlyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "68cb6c4d-7666-4c53-bd18-2c0983fb4eda"
}
}
},
"DirectConnectFullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSDirectConnectFullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "60930cc9-a1d1-4b87-b5b1-56ebbc944014"
}
}
},
"DirectConnectReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "c812b0c9-d222-483c-af4f-28030a68d54c"
}
}
},
"S3FullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "5f79ff11-747b-4c9c-a4ba-800bab94f4b5"
}
}
},
"S3ReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "fb473763-6a82-44b3-b865-cfbec49f1395"
}
}
},
"S3FullAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "98e23bf6-bc0f-4816-84b4-08f399694276"
}
}
},
"S3ReadOnlyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "b2cebb43-733e-424c-98d6-543f80b715b7"
}
}
},
"RDSFullAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonRDSFullAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "9970a6b5-50a1-43a9-9d56-133b1d45501f"
}
}
},
"RDSReadOnlyAccessGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "9681b972-8278-4f63-ab52-7a829e2f4514"
}
}
},
"RDSFullAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonRDSFullAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"rds.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "84807e2e-c16a-4073-aaf4-4f9e493ee27a"
}
}
},
"RDSReadOnlyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"rds.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "21134562-3bcc-4d68-90c8-8fb148e60408"
}
}
},
"PolicyAdministratorGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Policies": [
{
"PolicyName":"PolicyAdministrator",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:SetDefaultPolicyVersion"
],
"Resource": "*"
}]
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "594711c7-ed51-4d2a-ac33-88ff02aec6d0"
}
}
},
"BillingAdministratorGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Policies": [
{
"PolicyName": "BillingAdministrator",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aws-portal:*Billing",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2-reports:*",
"Resource": "*"
}
]
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a67e5c9e-f217-462d-b8ae-b289b7ef2547"
}
}
}
}
}
Shove it in designer – it’ll fix the indenting up for you 😉
You must be logged in to post a comment.