Python
from constructs import Construct from aws_cdk import ( Duration, ScopedAws, Stack, CfnParameter, Fn, aws_iam as iam,)import aws_cdk.aws_sso as sso resources = {"Fn::Sub" : "arn:aws:iam::${AccountId}:policy/managedPolicyName"} actions1 = [ "iam:CreateUser", "iam:DeleteUserPolicy", "iam:UpdateUser", "iam:AttachUserPolicy", "iam:DetachUserPolicy", "iam:PutUserPolicy", "iam:PutUserPermissionsBoundary"] actions2 = [ "iam:Get*", "iam:List*", "iam:DeleteUser", "iam:*Group*", "iam:CreatePolicy", "iam:CreateLoginProfile", "iam:CreateAccessKey", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteLoginProfile", "iam:DeleteAccessKey", "iam:SetDefaultPolicyVersion", "iam:SimulatePrincipalPolicy", "iam:SimulateCustomPolicy"] actions3 = [ "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteUserPermissionsBoundary", "iam:SetDefaultPolicyVersion"] actions4 = [ "s3:*", "lambda:*"] class SampleStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) AccountId = CfnParameter(self, "AccountId") SsoInstanceArn = CfnParameter(self, "SsoInstanceArn") cfn_managed_policy = iam.CfnManagedPolicy(self, "MyCfnManagedPolicy", policy_document={ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:PermissionsBoundary": resources } }, "Action": actions1, "Resource": "*", "Effect": "Allow" }, { "Action": actions2, "Resource": "*", "Effect": "Allow" }, { "Action": actions3, "Resource": resources, "Effect": "Deny" }, { "Effect": "Deny", "Action": actions4, "Resource": "*" } ] }, managed_policy_name="managedPolicyName" )
0 コメント