Aller au contenu

Example de IAM Policies#

Trust - Comptes de l'organisation#

Permettre à tous les compte de mon organisation d'assumer un role

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
"Statement": [{
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
        "StringEquals": {
            "sts:ExternalId": "ext-id",
            "aws:PrincipalOrgID": "organisation-id"
        }
    }
}]

Permettre Accès à un S3 avec clé KMS#

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:ListAllMyBuckets",
                "Resource": "*",
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Resource": [
                    "arn:aws:s3:::BUCKET_ID",
                    "arn:aws:s3:::BUCKET_ID/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                ],
                "Resource": "arn:aws:kms:ca-central-1:123456789012:key/ddddddd-aaaa-bbbb-cccc-1234567890"
            }
        ]
    }
Terraform
1
TBD