Пример #1
0
def ecs_agent_policy():
    p = Policy(Statement=[
        Statement(Effect=Allow,
                  Resource=["*"],
                  Action=[
                      ecs.CreateCluster, ecs.RegisterContainerInstance, ecs.
                      DeregisterContainerInstance, ecs.DiscoverPollEndpoint,
                      ecs.ECSAction("Submit*"), ecs.Poll,
                      ecs.ECSAction("StartTelemetrySession")
                  ])
    ])
    return p
Пример #2
0
def empire_policy():
    p = Policy(Statement=[
        Statement(Effect=Allow,
                  Resource=["*"],
                  Action=[
                      ecs.CreateService, ecs.DeleteService,
                      ecs.DeregisterTaskDefinition,
                      ecs.ECSAction("Describe*"),
                      ecs.ECSAction("List*"), ecs.RegisterTaskDefinition,
                      ecs.RunTask, ecs.StartTask, ecs.StopTask,
                      ecs.SubmitTaskStateChange, ecs.UpdateService
                  ]),
        Statement(
            Effect=Allow,
            # TODO: Limit to specific ELB?
            Resource=["*"],
            Action=[
                elb.DeleteLoadBalancer, elb.CreateLoadBalancer,
                elb.DescribeLoadBalancers, elb.DescribeTags,
                elb.ConfigureHealthCheck, elb.ModifyLoadBalancerAttributes
            ]),
        Statement(Effect=Allow,
                  Resource=["*"],
                  Action=[ec2.DescribeSubnets, ec2.DescribeSecurityGroups]),
        Statement(Effect=Allow,
                  Action=[
                      iam.GetServerCertificate, iam.UploadServerCertificate,
                      iam.DeleteServerCertificate, iam.PassRole
                  ],
                  Resource=["*"]),
        Statement(
            Effect=Allow,
            Action=[
                Action("route53", "ListHostedZonesByName"),
                route53.ChangeResourceRecordSets, route53.ListHostedZones,
                route53.GetHostedZone
            ],
            # TODO: Limit to specific zones
            Resource=["*"]),
        Statement(Effect=Allow,
                  Action=[
                      kinesis.DescribeStream,
                      Action(kinesis.prefix, "Get*"),
                      Action(kinesis.prefix, "List*")
                  ],
                  Resource=["*"]),
    ])
    return p
Пример #3
0
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs):
    """Used to create the ecsServieRole, which has to be named exactly that
    currently, so cannot be created via CloudFormation. See:

    http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role

    """
    conn = connect_to_region(region)
    policy = Policy(Statement=[
        Statement(Effect=Allow,
                  Resource=["*"],
                  Action=[
                      ecs.CreateCluster, ecs.DeregisterContainerInstance,
                      ecs.DiscoverPollEndpoint, ecs.Poll,
                      ecs.ECSAction("Submit*")
                  ])
    ])
    conn.put_role_policy("ecsServiceRole", "AmazonEC2ContainerServiceRole",
                         policy.to_json())
    return True
Пример #4
0
# Example taken from AWS docs:
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#instance_IAM_role

from awacs.aws import Allow
from awacs.aws import Policy, Statement
import awacs.ecs as ecs

pd = Policy(Statement=[
    Statement(Effect=Allow,
              Action=[
                  ecs.CreateCluster, ecs.RegisterContainerInstance,
                  ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint,
                  ecs.ECSAction("Submit*"), ecs.Poll
              ],
              Resource=["*"])
])
print(pd.to_json())