Sample IAM Roles and Policies for different services in AWS.
Written using troposphere and generates AWS CloudFormation JSON and YAML files when executed
awacs can be installed using the pip distribution system for python by issuing:
$ pip install -r requirements.txt
Some files require you to modify texts that correspond to your services before executing the Python file
Generating Export Bucket Policy for use with AWS CloudWatch Logs Export
Replace my-s3-bucket-name
and my-s3-bucket-arn
with your own information:
export_bucket_policy = t.add_resource(BucketPolicy(
'ExportBucketPolicy',
Bucket='my-s3-bucket-name',
PolicyDocument=Policy(
Statement=[
Statement(
Effect='Allow',
Action=[
Action('s3', 'GetBucketAcl')
],
Principal=Principal(
'Service',
Sub('logs.${AWS::Region}.amazonaws.com')
),
Resource=[
'my-s3-bucket-arn'
],
),
Statement(
Effect='Allow',
Action=[
Action('s3', 'PutObject')
],
Principal=Principal(
'Service',
Sub('logs.${AWS::Region}.amazonaws.com')
),
Resource=[
Join('/', ['my-s3-bucket-arn', '*'])
],
)
]
)
))
Execute to produce JSON and YAML files:
python export-bucket-policy/export-bucket-policy.py
Generated JSON file:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ExportBucketPolicy": {
"Properties": {
"Bucket": "my-s3-bucket-name",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Sub": "logs.${AWS::Region}.amazonaws.com"
}
},
"Resource": [
"my-s3-bucket-arn"
]
},
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Sub": "logs.${AWS::Region}.amazonaws.com"
}
},
"Resource": [
{
"Fn::Join": [
"/",
[
"my-s3-bucket-arn",
"*"
]
]
}
]
}
]
}
},
"Type": "AWS::S3::BucketPolicy"
}
}
}
Generated YAML file:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ExportBucketPolicy:
Properties:
Bucket: my-s3-bucket-name
PolicyDocument:
Statement:
- Action:
- s3:GetBucketAcl
Effect: Allow
Principal:
Service: !Sub 'logs.${AWS::Region}.amazonaws.com'
Resource:
- my-s3-bucket-arn
- Action:
- s3:PutObject
Effect: Allow
Principal:
Service: !Sub 'logs.${AWS::Region}.amazonaws.com'
Resource:
- !Join
- /
- - my-s3-bucket-arn
- '*'
Type: AWS::S3::BucketPolicy