How to use the awacs.aws.Allow function in awacs
To help you get started, we’ve selected a few awacs examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
pbudzon / aws-maintenance / infrastructure / src / cloudtrail-notifications.py View on Github 
),
Resource=[Join("", ["arn:aws:s3:::", Ref(bucket), "/AWSLogs/", Ref("AWS::AccountId"), "/*"])],
Condition=Condition(
StringEquals('s3:x-amz-acl', 'bucket-owner-full-control')
)
)
]
)
))
lambda_role = t.add_resource(Role(
"LambdaRole",
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow, Action=[AssumeRole],
Principal=Principal(
"Service", ["lambda.amazonaws.com"]
)
)
]
),
Policies=[IAMPolicy(
"LambdaPolicy",
PolicyName="LambdaCloudtrailPolicy",
PolicyDocument=Policy(Statement=[
Statement(
Effect=Allow,
Action=[
Action('s3', 'GetObject'),
],
Resource=[Join("", ['arn:aws:s3:::', Ref(bucket), '/*'])]def get_access_policy(self):
policy = None
variables = self.get_variables()
statements = []
for trusted_network in variables["TrustedNetworks"]:
condition = Condition(IpAddress({SourceIp: trusted_network}))
statements.append(
Statement(
Effect=Allow,
Action=self.get_allowed_actions(),
Condition=condition,
Principal=Principal(Everybody)))
if statements:
policy = Policy(Statement=statements)
return policydef s3_write_statements(bucket_name):
return [
Statement(
Effect=Allow,
Action=[
awacs.s3.AbortMultipartUpload,
awacs.s3.GetBucketLocation,
awacs.s3.GetObject,
awacs.s3.ListBucket,
awacs.s3.ListBucketMultipartUploads,
awacs.s3.PutObject,
],
Resource=[
s3_arn(bucket_name),
s3_arn(Join("/", [bucket_name, "*"]))
],Resource=["*"],
Action=[elb.DeleteLoadBalancer, elb.CreateLoadBalancer,
elb.DescribeLoadBalancers, elb.DescribeTags,
elb.ConfigureHealthCheck,
elb.ModifyLoadBalancerAttributes]),
Statement(
Effect=Allow,
Resource=["*"],
Action=[ec2.DescribeSubnets, ec2.DescribeSecurityGroups]),
Statement(
Effect=Allow,
Action=[iam.GetServerCertificate, iam.UploadServerCertificate,
iam.DeleteServerCertificate, iam.PassRole],
Resource=["*"]),
Statement(
Effect=Allow,
Action=[
Action("route53", "ListHostedZonesByName"),
route53.ChangeResourceRecordSets,
route53.ListHostedZones, route53.GetHostedZone
],
# TODO: Limit to specific zones
Resource=["*"])
]
)
return pRef(google_oauth_client_id)
)
),
),
],
),
))
t.add_resource(iam.PolicyType(
"WebsitePolicy",
PolicyName="lambda-chat-website-policy",
Roles=[Ref(website_role)],
PolicyDocument=Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[Action("sns", "Publish")],
Resource=[
Ref(website_sns_topic)
],
),
],
)
))
t.add_output(Output(
"WebsiteRole",
Description="website_iam_role_arn",
Value=GetAtt(website_role, "Arn"),
))
website_bucket = t.add_resource(s3.Bucket(
'WebsiteS3Bucket',def kms_key_root_statements():
root_arn = Join(":", ["arn:aws:iam:", Ref("AWS::AccountId"), "root"])
return [
Statement(
Sid="Enable IAM User Permissions",
Effect=Allow,
Principal=AWSPrincipal(root_arn),
Action=[
awacs.kms.Action("*"),
],
Resource=["*"]
)cfn_export_dict["ResourceId"] = troposphere.GetAtt(restapi_resource, 'RootResourceId')
cfn_export_dict["RestApiId"] = troposphere.Ref(restapi_resource)
uri = troposphere.Join('', ["arn:aws:apigateway:", method.region_name, ":lambda:path/2015-03-31/functions/", method.parameter_arn_ref, "/invocations"])
cfn_export_dict["Integration"]["Uri"] = uri
if method.integration.integration_type == 'AWS_PROXY':
# IAM Role - allows API Gateway to invoke Lambda
# ToDo: enable Api Gateway to invoke things other than Lambda ...
iam_role_resource = troposphere.iam.Role(
self.create_cfn_logical_id('ApiGatewayIamRole' + self.apigatewayrestapi.name + method.name),
Path='/',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',['apigateway.amazonaws.com'])
)
],
),
Policies=[
troposphere.iam.Policy(
PolicyName=self.create_cfn_logical_id('LambdaAccessApiGateway' + self.apigatewayrestapi.name + method.name),
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.awslambda.InvokeFunction],
Resource=[method.parameter_arn_ref],
)],
Policies=[
iam.Policy(
PolicyName='EksServiceRolePolicy',
PolicyDocument=PolicyDocument(
Statement=[
Statement(
Action=[awacs.iam.CreateServiceLinkedRole,
awacs.iam.PutRolePolicy],
Condition=Condition(
StringLike(
'iam:AWSServiceName',
'elasticloadbalancing.amazonaws.com' # noqa
)
),
Effect=Allow,
Resource=[
Sub('arn:aws:iam::${AWS::AccountId}:role/' # noqa
'aws-service-role/'
'elasticloadbalancing.amazonaws.com/' # noqa
'AWSServiceRoleForElasticLoadBalancing*') # noqa
]
)
]
)
)
]
)
)
ekscluster = template.add_resource(
eks.Cluster()
# Enhanced Monitoring Role
need_monitoring_role = False
for db_instance in rds_aurora.db_instances.values():
enhanced_monitoring_interval = db_instance.get_value_or_default('enhanced_monitoring_interval_in_seconds')
if enhanced_monitoring_interval != 0:
need_monitoring_role = True
if need_monitoring_role:
enhanced_monitoring_role_resource = troposphere.iam.Role(
title='MonitoringIAMRole',
template=self.template,
AssumeRolePolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[Action("sts", "AssumeRole")],
Principal=Principal("Service", "monitoring.rds.amazonaws.com")
)
]
),
ManagedPolicyArns=["arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"],
Path="/",
)
# DB Snapshot Identifier
if rds_aurora.db_snapshot_identifier == '' or rds_aurora.db_snapshot_identifier == None:
db_snapshot_id_enabled = False
else:
db_snapshot_id_enabled = True
if db_snapshot_id_enabled == True:
db_cluster_dict['SnapshotIdentifier'] = rds_aurora.db_snapshot_identifierprefixed_loggroup_name = prefixed_name(awslambda, loggroup_name, self.paco_ctx.legacy_flag)
log_group_arns.append(
f'arn:aws:logs:{self.aws_region}:{account_ctx.id}:log-group:{prefixed_loggroup_name}:*'
)
log_stream_arns.append(
f'arn:aws:logs:{self.aws_region}:{account_ctx.id}:log-group:{prefixed_loggroup_name}:log-stream:*'
)
loggroup_policy_resource = troposphere.iam.ManagedPolicy(
title='LogGroupManagedPolicy',
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Sid='AllowLambdaModifyLogStreams',
Effect=Allow,
Action=[
Action("logs","CreateLogStream"),
Action("logs","DescribeLogStreams"),
],
Resource=log_group_arns,
),
Statement(
Sid='AllowLambdaPutLogEvents',
Effect=Allow,
Action=[
Action("logs","PutLogEvents"),
],
Resource=log_stream_arns,
),
],
),awacs
AWS Access Policy Language creation library
Package Health Score
79 / 100Popular awacs functions
- awacs.aws.Action
- awacs.aws.Allow
- awacs.aws.Policy
- awacs.aws.Principal
- awacs.aws.Statement
- awacs.chime.Action
- awacs.cognito_idp.Action
- awacs.ec2.Action
- awacs.glue.Action
- awacs.greengrass.Action
- awacs.iam.Action
- awacs.iot.Action
- awacs.lightsail.Action
- awacs.mobiletargeting.Action
- awacs.rds.Action
- awacs.redshift.Action
- awacs.s3.Action
- awacs.servicecatalog.Action
- awacs.ssm.Action
- awacs.workmail.Action