def _get_instance_profile(self, chain_context): s3readPolicy = iam.Policy( PolicyName='S3ReadArtifactBucket', PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[ awacs.s3.GetObject, ], Resource=[s3.ARN(self.bucket_name + "/*")]), Statement(Effect=Allow, Action=[ awacs.s3.ListBucket, ], Resource=[s3.ARN(self.bucket_name)]) ])) cfnrole = chain_context.template.add_resource( Role(EC2_ROLE_NAME, AssumeRolePolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"])) ]), Policies=[s3readPolicy])) instance_profile = InstanceProfile(INSTANCE_PROFILE_NAME, Roles=[Ref(cfnrole)]) return instance_profile
def test_for_all_values(self): c = aws.Condition( aws.ForAllValuesStringLike("dynamodb:requestedAttributes", ["PostDateTime", "Message", "Tags"])) pd = aws.Policy(Statement=[ aws.Statement( Action=[s3.ListBucket], Effect=aws.Allow, Resource=[s3.ARN("myBucket")], Condition=c, ) ]) self.assertEqual( { u'Statement': [{ u'Action': [u's3:ListBucket'], u'Condition': { u'ForAllValues:StringLike': { u'dynamodb:requestedAttributes': [u'PostDateTime', u'Message', u'Tags'] } }, u'Effect': u'Allow', u'Resource': [u'arn:aws:s3:::myBucket'] }] }, json.loads(pd.to_json()))
def test_for_all_values(self): c = aws.Condition( aws.ForAllValuesStringLike("dynamodb:requestedAttributes", ["PostDateTime", "Message", "Tags"])) pd = aws.PolicyDocument(Statement=[ aws.Statement( Action=[s3.ListBucket], Effect=aws.Allow, Resource=[s3.ARN("myBucket")], Condition=c, ) ]) self.assertEqual( { "Statement": [{ "Action": ["s3:ListBucket"], "Condition": { "ForAllValues:StringLike": { "dynamodb:requestedAttributes": [ "PostDateTime", "Message", "Tags", ] } }, "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], }] }, json.loads(pd.to_json()), )
def test_arn_equality(self): self.assertEqualWithHash( s3.ARN("myBucket"), s3.ARN("myBucket")) self.assertNotEqualWithHash( s3.ARN("myBucket"), s3.ARN("myOtherBucket")) self.assertEqualWithHash( ec2.ARN("some-resource", "some-region", "some-account"), ec2.ARN("some-resource", "some-region", "some-account")) self.assertNotEqualWithHash( ec2.ARN("some-resource", "some-region", "some-account"), ec2.ARN("some-resource", "some-other-region", "some-account")) self.assertNotEqualWithHash( ec2.ARN("some-resource", "some-region", "some-account"), iam.ARN("some-resource", "some-region", "some-account"))
def _create_code_build_role(self): code_build_role = iam.Role( 'CodeBuildRole', AssumeRolePolicyDocument=Policy( Version='2012-10-17', Statement=[ Statement( Effect=Allow, Action=[ _sts.AssumeRole, ], Principal=Principal( 'Service', 'codebuild.amazonaws.com' ) ) ] ) ) self._t.add_resource(code_build_role) code_build_policy = iam.PolicyType( 'CodeBuildPolicy', PolicyName='CodeBuildPolicy', PolicyDocument=Policy( Version='2012-10-17', Statement=[ Statement( Action=[ _logs.CreateLogGroup, _logs.CreateLogStream, _logs.PutLogEvents, ], Effect=Allow, Resource=['*'], ), Statement( Effect=Allow, Action=[ _s3.GetObject, _s3.GetObjectVersion, _s3.PutObject, ], Resource=[_s3.ARN('*')], ), ] ), Roles=[Ref(code_build_role)], ) self._t.add_resource(code_build_policy) return code_build_role
Description='Subnet to use for Redshift', )) security_group = template.add_parameter( Parameter( 'SecurityGroup', Type='String', Description='Security Group to use for Redshift', )) policy_doc = Policy(Statement=[ Statement(Sid='ReadAccessS3', Effect=Allow, Action=[Action('s3', 'List*'), Action('s3', 'Get*')], Resource=[s3_doc.ARN('nicor-data'), s3_doc.ARN('nicor-data/*')]), ]) redshift_role = template.add_resource( iam.Role('RedshiftRole', RoleName='RedshiftRole', AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["redshift.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] },
Statement(Sid='KinesisAccess', Effect=Allow, Action=[Action('kinesis', '*')], Resource=[ 'arn:aws:kinesis:eu-west-1:749785218022:stream/DevStreamES' ]), Statement(Sid='LogsAccess', Effect=Allow, Action=[Action('logs', '*')], Resource=['*']), Statement(Sid='ReadS3DeploymentBucket', Effect=Allow, Action=[Action('s3', 'Get*'), Action('s3', 'List*')], Resource=[ s3.ARN('nicor-dev'), s3.ARN('nicor-dev/*'), ]) ]) instance_role = template.add_resource( iam.Role('InstanceRole', RoleName='TweetProducerRole', AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }]
def generate_template(service_name): t = Template() t.add_version('2010-09-09') t.add_description("""\ AWS CloudFormation Template for AWS Exploitation Lab """) t.add_mapping("PublicRegionMap", ami_public_mapping) t.add_mapping("PrivateRegionMap", ami_private_mapping) keyname_param = t.add_parameter( Parameter( 'KeyName', ConstraintDescription= 'must be the name of an existing EC2 KeyPair.', Description= 'Name of an existing EC2 KeyPair to enable SSH access to \ the instance', Type='AWS::EC2::KeyPair::KeyName', )) sshlocation_param = t.add_parameter( Parameter( 'SSHLocation', Description= ' The IP address range that can be used to SSH to the EC2 \ instances', Type='String', MinLength='9', MaxLength='18', Default='0.0.0.0/32', AllowedPattern= "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})", ConstraintDescription=( "must be a valid IP CIDR range of the form x.x.x.x/x."), )) instanceType_param = t.add_parameter( Parameter( 'InstanceType', Type='String', Description='WebServer EC2 instance type', Default='t2.micro', AllowedValues=[ 't2.micro', 't2.small', 't2.medium', 'm3.medium', 'm3.large', 'm3.xlarge', 'm3.2xlarge', ], ConstraintDescription='must be a valid EC2 instance type.', )) ref_stack_id = Ref('AWS::StackId') ec2_role = t.add_resource( Role("%sEC2Role" % service_name, AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[ awacs.aws.Statement( Effect=awacs.aws.Allow, Action=[awacs.aws.Action("sts", "AssumeRole")], Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])) ]))) ec2_role.ManagedPolicyArns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] ec2_snapshot_policy_document = awacs.aws.Policy(Statement=[ awacs.aws.Statement(Sid="PermitEC2Snapshots", Effect=awacs.aws.Allow, Action=[ awacs.aws.Action("ec2", "CreateSnapshot"), awacs.aws.Action("ec2", "ModifySnapshotAttribute"), ], Resource=["*"]) ]) ec2_snapshot_policy = Policy(PolicyName="EC2SnapshotPermissions", PolicyDocument=ec2_snapshot_policy_document) priv_ec2_role = t.add_resource( Role("%sPrivEC2Role" % service_name, AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[ awacs.aws.Statement( Effect=awacs.aws.Allow, Action=[awacs.aws.Action("sts", "AssumeRole")], Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])) ]), Policies=[ec2_snapshot_policy])) priv_ec2_role.ManagedPolicyArns = [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ] VPC_ref = t.add_resource( VPC('VPC', CidrBlock='10.0.0.0/16', Tags=Tags(Application=ref_stack_id))) instanceProfile = t.add_resource( InstanceProfile("InstanceProfile", InstanceProfileName="%sInstanceRole" % (service_name), Roles=[Ref(ec2_role)])) privInstanceProfile = t.add_resource( InstanceProfile("PrivInstanceProfile", InstanceProfileName="%sPrivInstanceRole" % (service_name), Roles=[Ref(priv_ec2_role)])) public_subnet = t.add_resource( Subnet('%sSubnetPublic' % service_name, MapPublicIpOnLaunch=True, CidrBlock='10.0.1.0/24', VpcId=Ref(VPC_ref), Tags=Tags(Application=ref_stack_id, Name="%sSubnet_public" % (service_name)))) private_subnet = t.add_resource( Subnet('%sSubnetPrivate' % service_name, MapPublicIpOnLaunch=False, CidrBlock='10.0.2.0/24', VpcId=Ref(VPC_ref), Tags=Tags(Application=ref_stack_id, Name="%sSubnet_private" % (service_name)))) internetGateway = t.add_resource( InternetGateway('InternetGateway', Tags=Tags(Application=ref_stack_id, Name="%sInternetGateway" % service_name))) gatewayAttachment = t.add_resource( VPCGatewayAttachment('AttachGateway', VpcId=Ref(VPC_ref), InternetGatewayId=Ref(internetGateway))) routeTable = t.add_resource( RouteTable('RouteTable', VpcId=Ref(VPC_ref), Tags=Tags(Application=ref_stack_id, Name="%sRouteTable" % service_name))) route = t.add_resource( Route( 'Route', DependsOn='AttachGateway', GatewayId=Ref('InternetGateway'), DestinationCidrBlock='0.0.0.0/0', RouteTableId=Ref(routeTable), )) # Only associate this Route Table with the public subnet subnetRouteTableAssociation = t.add_resource( SubnetRouteTableAssociation( 'SubnetRouteTableAssociation', SubnetId=Ref(public_subnet), RouteTableId=Ref(routeTable), )) instanceSecurityGroup = t.add_resource( SecurityGroup( 'InstanceSecurityGroup', GroupDescription='%sSecurityGroup' % service_name, SecurityGroupIngress=[ SecurityGroupRule(IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp=Ref(sshlocation_param)), SecurityGroupRule(IpProtocol='tcp', FromPort='80', ToPort='80', CidrIp='0.0.0.0/0'), SecurityGroupRule(IpProtocol='tcp', FromPort='443', ToPort='443', CidrIp='0.0.0.0/0'), SecurityGroupRule(IpProtocol='tcp', FromPort='0', ToPort='65535', CidrIp="10.0.0.0/8"), ], VpcId=Ref(VPC_ref), )) public_instance = t.add_resource( Instance( "Public%sInstance" % service_name, ImageId=FindInMap("PublicRegionMap", Ref("AWS::Region"), "AMI"), InstanceType=Ref(instanceType_param), KeyName=Ref(keyname_param), NetworkInterfaces=[ NetworkInterfaceProperty(GroupSet=[Ref(instanceSecurityGroup)], AssociatePublicIpAddress='true', DeviceIndex='0', DeleteOnTermination='true', SubnetId=Ref(public_subnet)) ], UserData=Base64(public_instance_userdata), Tags=Tags(Application=ref_stack_id, Name='%sPublicInstance' % (service_name)))) private_instance = t.add_resource( Instance( "Private%sInstance" % service_name, ImageId=FindInMap("PrivateRegionMap", Ref("AWS::Region"), "AMI"), InstanceType=Ref(instanceType_param), KeyName=Ref(keyname_param), NetworkInterfaces=[ NetworkInterfaceProperty(GroupSet=[Ref(instanceSecurityGroup)], DeviceIndex='0', DeleteOnTermination='true', SubnetId=Ref(private_subnet)) ], UserData=Base64(private_instance_userdata), Tags=Tags(Application=ref_stack_id, Name='%sPrivateInstance' % (service_name)), IamInstanceProfile="%sPrivInstanceRole" % (service_name))) outputs = [] outputs.append( Output( "PublicIP", Description="IP Address of Public Instance", Value=GetAtt(public_instance, "PublicIp"), )) t.add_output(outputs) # Set up S3 Bucket and CloudTrail S3Bucket = t.add_resource(Bucket("S3Bucket", DeletionPolicy="Retain")) S3PolicyDocument = awacs.aws.PolicyDocument( Id='EnforceServersideEncryption', Version='2012-10-17', Statement=[ awacs.aws.Statement( Sid='PermitCTBucketPut', Action=[s3.PutObject], Effect=awacs.aws.Allow, Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]), Resource=[Join('', [s3.ARN(''), Ref(S3Bucket), "/*"])], ), awacs.aws.Statement( Sid='PermitCTBucketACLRead', Action=[s3.GetBucketAcl], Effect=awacs.aws.Allow, Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]), Resource=[Join('', [s3.ARN(''), Ref(S3Bucket)])], ) ]) S3BucketPolicy = t.add_resource( BucketPolicy("BucketPolicy", PolicyDocument=S3PolicyDocument, Bucket=Ref(S3Bucket), DependsOn=[S3Bucket])) myTrail = t.add_resource( Trail( "CloudTrail", IsLogging=True, S3BucketName=Ref(S3Bucket), DependsOn=["BucketPolicy"], )) myTrail.IsMultiRegionTrail = True myTrail.IncludeGlobalServiceEvents = True return t.to_json()
# Example taken from AWS docs: # http://docs.aws.amazon.com/IAM/latest/UserGuide/ # ExampleIAMPolicies.html#iampolicy-example-s3homedir from awacs.aws import Action, Allow, Condition from awacs.aws import Policy, Statement from awacs.aws import StringEquals, StringLike import awacs.s3 as s3 pd = Policy(Statement=[ Statement( Action=[s3.ListAllMyBuckets, s3.GetBucketLocation], Effect=Allow, Resource=[ s3.ARN("*"), ], ), Statement( Action=[s3.ListBucket], Effect=Allow, Resource=[s3.ARN("myBucket")], Condition=Condition( StringEquals({ 's3:prefix': ['', 'home/'], 's3:delimiter': ['/'], }), ), ), Statement( Action=[s3.ListBucket], Effect=Allow, Resource=[s3.ARN("myBucket")],
def create_template(): t = Template() t.add_description("The individual CodeBuild stack for CBuildCI.") p_build_description = t.add_parameter( Parameter( "BuildDescription", Description="Used for the CodeBuild project description.", Type="String", )) p_api_lambda_role = t.add_parameter( Parameter( "ApiLambdaRole", Description= "The IAM role used by the API lambda function, which will receive permission to monitor builds.", Type="String", )) p_step_lambda_role = t.add_parameter( Parameter( "StepLambdaRole", Description= "The IAM role used by the lambda function, which will receive permission to start, stop and monitor builds.", Type="String", )) p_source_bucket = t.add_parameter( Parameter( "SourceBucket", Type="String", )) p_source_key_prefix = t.add_parameter( Parameter( "SourceKeyPrefix", Type="String", Default="github-source/", )) p_artifact_bucket = t.add_parameter( Parameter( "ArtifactBucket", Type="String", )) p_artifact_key_prefix = t.add_parameter( Parameter( "ArtifactKeyPrefix", Type="String", Default="github-artifacts/", )) p_cache_bucket = t.add_parameter(Parameter( "CacheBucket", Type="String", )) p_cache_key_prefix = t.add_parameter( Parameter( "CacheKeyPrefix", Type="String", Default="github-cache/", )) p_logs_retention_days = t.add_parameter( Parameter( "LogsRetentionDays", Description= "Number of days to keep CloudWatch logs for this stack's lambda function.", Type="Number", Default="30", )) p_code_build_role_policy_arns = t.add_parameter( Parameter( "CodeBuildRolePolicyArns", Description= "Optional list of IAM managed policy ARNs to attach to the CodeBuild role.", Type="String", Default="-NONE-", )) p_read_ecr_arns = t.add_parameter( Parameter( "ReadECRArns", Description= "ECS Repository ARNs to give CodeBuild permission to pull images from.", Type="String", Default="-NONE-", )) p_read_s3_arns = t.add_parameter( Parameter( "ReadS3Arns", Description="S3 ARNs to give CodeBuild permission to S3.", Type="String", Default="-NONE-", )) p_read_ssm_param_arns = t.add_parameter( Parameter( "ReadSSMParamArns", Description="SSM parameters to give CodeBuild permission to read.", Type="String", Default="-NONE-", )) p_read_kms_arns = t.add_parameter( Parameter( "ReadKMSArns", Description="KMS keys to give CodeBuild permission to decrypt.", Type="String", Default="-NONE-", )) p_vpc = t.add_parameter( Parameter( "VPC", Description="Optional VPC to use for CodeBuild.", Type="String", Default="-NONE-", )) p_security_groups = t.add_parameter( Parameter( "SecurityGroups", Description="Security groups to use for CodeBuild.", Type="String", Default="-NONE-", )) p_subnets = t.add_parameter( Parameter( "Subnets", Description="Subnets to use for CodeBuild.", Type="String", Default="-NONE-", )) t.add_condition( "HasCodeBuildRolePolicyArns", Not(Equals(Ref(p_code_build_role_policy_arns), "-NONE-")), ) t.add_condition( "HasReadECRArns", Not(Equals(Ref(p_read_ecr_arns), "-NONE-")), ) t.add_condition( "HasReadS3Arns", Not(Equals(Ref(p_read_s3_arns), "-NONE-")), ) t.add_condition( "HasReadSSMParamArns", Not(Equals(Ref(p_read_ssm_param_arns), "-NONE-")), ) t.add_condition( "HasReadKMSArns", Not(Equals(Ref(p_read_kms_arns), "-NONE-")), ) t.add_condition( "HasVPC", Not(Equals(Ref(p_vpc), "-NONE-")), ) # Replace with custom tags if desired. tags = build_tags_list(t) r_log_group = t.add_resource( LogGroup( "CodeBuildLogGroup", LogGroupName=Sub("/aws/codebuild/${AWS::StackName}"), RetentionInDays=Ref(p_logs_retention_days), )) r_code_build_role = t.add_resource( Role( "CodeBuildRole", AssumeRolePolicyDocument=PolicyDocument( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Action=[ac_sts.AssumeRole], Principal=Principal("Service", ["codebuild.amazonaws.com"]), ), ], ), ManagedPolicyArns=If( "HasCodeBuildRolePolicyArns", Split(",", Ref(p_code_build_role_policy_arns)), NoValue, ), Policies=[ Policy( PolicyName="code-build-policy", PolicyDocument={ "Statement": [ Statement( Effect=Allow, Resource=[ GetAtt(r_log_group, "Arn"), ], Action=[ ac_logs.CreateLogGroup, ac_logs.CreateLogStream, ac_logs.PutLogEvents, ], ), Statement( Effect=Allow, Resource=[ Sub( ac_s3.ARN(resource="${%s}/${%s}*" % ( p_source_bucket.title, p_source_key_prefix.title, ), )), ], Action=[ ac_s3.GetObject, ac_s3.GetObjectVersion, ], ), Statement( Effect=Allow, Resource=[ Sub( ac_s3.ARN(resource="${%s}/${%s}*" % ( p_artifact_bucket.title, p_artifact_key_prefix.title, ), )), Sub( ac_s3.ARN(resource="${%s}/${%s}*" % ( p_cache_bucket.title, p_cache_key_prefix.title, ), )), ], Action=[ ac_s3.GetObject, ac_s3.GetObjectVersion, ac_s3.PutObject, ], ), If( "HasReadECRArns", { "Effect": Allow, "Resource": Split(",", Ref(p_read_ecr_arns)), "Action": [ ac_ecr.BatchCheckLayerAvailability, ac_ecr.BatchGetImage, ac_ecr.GetDownloadUrlForLayer, ], }, NoValue, ), If( "HasReadS3Arns", { "Effect": Allow, "Resource": Split(",", Ref(p_read_s3_arns)), "Action": [ ac_s3.ListBucket, ac_s3.GetObject, ac_s3.GetObject, ac_s3.GetObjectVersion, ], }, NoValue, ), If( "HasReadSSMParamArns", { "Effect": Allow, "Resource": Split(",", Ref(p_read_ssm_param_arns)), "Action": [ ac_ssm.GetParameter, ], }, NoValue, ), If( "HasReadKMSArns", { "Effect": Allow, "Resource": Split(",", Ref(p_read_kms_arns)), "Action": [ ac_kms.Decrypt, ], }, NoValue, ), ] }, ), ], )) r_code_build = t.add_resource( Project( "CodeBuild", Name=Ref("AWS::StackName"), Description=Ref(p_build_description), ServiceRole=Ref(r_code_build_role), Source=Source(Type="CODEPIPELINE", ), Artifacts=Artifacts(Type="CODEPIPELINE", ), VpcConfig=If( "HasVPC", VpcConfig( VpcId=Ref(p_vpc), Subnets=Ref(p_subnets), SecurityGroupIds=Ref(p_security_groups), ), NoValue, ), Environment=CodeBuildEnvironment( Type="LINUX_CONTAINER", ComputeType="BUILD_GENERAL1_SMALL", Image="aws/codebuild/ubuntu-base:14.04", ), Tags=tags, )) t.add_resource( PolicyType( "ApiLambdaRolePolicy", Roles=[ Ref(p_api_lambda_role), ], PolicyName=Sub("${AWS::StackName}-policy"), PolicyDocument=PolicyDocument(Statement=[ Statement( Effect=Allow, Resource=[GetAtt(r_code_build, "Arn")], Action=[ ac_codebuild.BatchGetBuilds, ], ), Statement( Effect=Allow, Resource=[ GetAtt(r_log_group, "Arn"), ], Action=[ ac_logs.GetLogEvents, ], ), ], ), )) t.add_resource( PolicyType( "StepLambdaRolePolicy", Roles=[ Ref(p_step_lambda_role), ], PolicyName=Sub("${AWS::StackName}-policy"), PolicyDocument=PolicyDocument(Statement=[ Statement( Effect=Allow, Resource=[GetAtt(r_code_build, "Arn")], Action=[ ac_codebuild.StartBuild, ac_codebuild.StopBuild, ac_codebuild.BatchGetBuilds, ], ), ], ), )) t.add_output(Output( "CodeBuildProjectName", Value=Ref(r_code_build), )) t.add_output(Output( "CodeBuildArn", Value=GetAtt(r_code_build, "Arn"), )) return t