How to use the awacs.aws.Action function in awacs

To help you get started, we’ve selected a few awacs examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github dflook / cloudformation-dns-certificate / src / troposphere_dns_certificate / certificatemanager.py View on Github external
Statement(
                                    Effect=Allow,
                                    Action=[
                                        Action('acm', 'AddTagsToCertificate'),
                                        Action('acm', 'DeleteCertificate'),
                                        Action('acm', 'DescribeCertificate'),
                                        Action('acm', 'RemoveTagsFromCertificate'),

                                    ],
                                    Resource=[Sub('arn:aws:acm:*:${AWS::AccountId}:certificate/*')],
                                ),
                                Statement(
                                    Effect=Allow,
                                    Action=[
                                        Action('acm', 'RequestCertificate'),
                                        Action('acm', 'ListTagsForCertificate'),
                                        Action('acm', 'ListCertificates')
                                    ],
                                    Resource=['*']
                                ),
                            ],
                        ),
                    )
                ],
            )
        )

    if CERTIFICATE_LAMBDA not in template.resources:
        with open(pkgutil.get_loader('troposphere_dns_certificate.certificate').get_filename()) as f:
            code = python_minifier.awslambda(f.read(), entrypoint='handler')

        template.add_resource(
github waterbear-cloud / paco / src / paco / cftemplates / codepipeline.py View on Github external
Action=[ AssumeRole ],
                        Principal=Principal("Service", ['codepipeline.amazonaws.com']),
                    )
                ]
            )
        )
        pipeline_policy_statement_list = [
            Statement(
                Sid='CodePipelineAccess',
                Effect=Allow,
                Action=[
                    Action('codepipeline', '*'),
                    Action('sns', 'Publish'),
                    Action('s3', 'ListAllMyBuckets'),
                    Action('s3', 'GetBucketLocation'),
                    Action('iam', 'ListRoles'),
                    Action('iam', 'PassRole'),
                ],
                Resource=[ '*' ]
            ),
            Statement(
                Sid='KMSCMK',
                Effect=Allow,
                Action=[
                    Action('kms', 'Decrypt'),
                ],
                Resource=[ troposphere.Ref(self.cmk_arn_param) ]
            ),
        ]
        # S3.Source Action requires more generous permissions on the Artifacts S3 Bucket
        if self.s3_source_enabled:
            pipeline_policy_statement_list.append(
github remind101 / stacker_blueprints / stacker_blueprints / firehose.py View on Github external
awacs.kms.ListGrants,
                    awacs.kms.RevokeGrant,
                ],
                Resource=["*"],
                Condition=Condition(Bool("kms:GrantIsForAWSResource", True))
            )
        )

    if key_admin_arns:
        statements.append(
            Statement(
                Sid="Allow access for Key Administrators",
                Effect=Allow,
                Principal=AWSPrincipal(key_admin_arns),
                Action=[
                    Action("kms", "Create*"),
                    Action("kms", "Describe*"),
                    Action("kms", "Enable*"),
                    Action("kms", "List*"),
                    Action("kms", "Put*"),
                    Action("kms", "Update*"),
                    Action("kms", "Revoke*"),
                    Action("kms", "Disable*"),
                    Action("kms", "Get*"),
                    Action("kms", "Delete*"),
                    Action("kms", "ScheduleKeyDeletion"),
                    Action("kms", "CancelKeyDeletion"),
                ],
                Resource=["*"],
            )
        )
github waterbear-cloud / paco / src / paco / cftemplates / codepipeline.py View on Github external
],
                    Resource=[
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}/*'),
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}')
                    ]
                ),
            )
        else:
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='S3Access',
                    Effect=Allow,
                    Action=[
                        Action('s3', 'PutObject'),
                        Action('s3', 'GetBucketPolicy'),
                        Action('s3', 'GetObject'),
                        Action('s3', 'ListBucket'),
                    ],
                    Resource=[
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}/*'),
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}')
                    ]
                ),
            )
        if self.lambda_invoke_enabled:
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='LambdaInvoke',
                    Effect=Allow,
                    Action=[
                        Action('lambda', 'InvokeFunction'),
                    ],
github waterbear-cloud / paco / src / paco / cftemplates / codepipeline.py View on Github external
Action=[
                        Action('codebuild', 'BatchGetBuilds'),
                        Action('codebuild', 'StartBuild')
                    ],
                    Resource=[ troposphere.Ref(self.codebuild_project_arn_param) ]
                )
            )
        if self.ecr_source_enabled:
            # Add Statement to allow ECR
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='ECRPullAccess',
                    Effect=Allow,
                    Action=[
                        Action('ecr', 'Describe*'),
                        Action('ecr', 'List*'),
                        Action('ecr', 'Get*'),
                    ],
                    Resource=['*']
                )
            )
        if self.codecommit_source_enabled:
            # Add Statements to allow CodeCommit if a CodeCommit.Source is enabled
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='CodeCommitAssumeRole',
                    Effect=Allow,
                    Action=[
                        Action('sts', 'AssumeRole'),
                    ],
                    Resource=[ troposphere.Ref(self.codecommit_role_arn_param) ]
                )
github remind101 / stacker_blueprints / stacker_blueprints / empire / policies.py View on Github external
def logstream_policy():
    """Policy needed for logspout -> kinesis log streaming."""
    p = Policy(
        Statement=[
            Statement(
                Effect=Allow,
                Resource=["*"],
                Action=[
                    kinesis.CreateStream, kinesis.DescribeStream,
                    Action(kinesis.prefix, "AddTagsToStream"),
                    Action(kinesis.prefix, "PutRecords")
                ])])
    return p
github cloudtools / troposphere / examples / EFS.py View on Github external
SubnetId=Ref(subnetid_param)
)
template.add_resource(efs_mount_target)

# Create the policy that allows the instance to describe file systems and tags,
# so it can lookup the file system using AWS tags. An alternative would be to
# pass in the FileSystem name as UserData.
efs_host_role = Role(
    "EFSHostRole",
    AssumeRolePolicyDocument=PolicyDocument(
        Statement=[
            Statement(
                Effect=Allow,
                Action=[
                    Action('elasticfilesystem', 'DescribeFileSystems'),
                    Action('elasticfilesystem', 'DescribeTags')
                ],
                Resource=["*"]
            )
        ]
    )
)
template.add_resource(efs_host_role)

efs_host_instance_profile = InstanceProfile(
    "EFSInstanceProfile",
    Roles=[Ref(efs_host_role)]
)
template.add_resource(efs_host_instance_profile)

# And finally the EC2 instance.
ec2_instance = Instance(
github waterbear-cloud / paco / src / paco / cftemplates / codepipeline.py View on Github external
Action('s3', 'List*'),
                    ],
                    Resource=[
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}/*'),
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}')
                    ]
                ),
            )
        else:
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='S3Access',
                    Effect=Allow,
                    Action=[
                        Action('s3', 'PutObject'),
                        Action('s3', 'GetBucketPolicy'),
                        Action('s3', 'GetObject'),
                        Action('s3', 'ListBucket'),
                    ],
                    Resource=[
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}/*'),
                        troposphere.Sub('arn:aws:s3:::${ArtifactsBucketName}')
                    ]
                ),
            )
        if self.lambda_invoke_enabled:
            pipeline_policy_statement_list.append(
                Statement(
                    Sid='LambdaInvoke',
                    Effect=Allow,
                    Action=[
                        Action('lambda', 'InvokeFunction'),
github remind101 / stacker_blueprints / stacker_blueprints / firehose.py View on Github external
Statement(
                Sid="Allow access for Key Administrators",
                Effect=Allow,
                Principal=AWSPrincipal(key_admin_arns),
                Action=[
                    Action("kms", "Create*"),
                    Action("kms", "Describe*"),
                    Action("kms", "Enable*"),
                    Action("kms", "List*"),
                    Action("kms", "Put*"),
                    Action("kms", "Update*"),
                    Action("kms", "Revoke*"),
                    Action("kms", "Disable*"),
                    Action("kms", "Get*"),
                    Action("kms", "Delete*"),
                    Action("kms", "ScheduleKeyDeletion"),
                    Action("kms", "CancelKeyDeletion"),
                ],
                Resource=["*"],
            )
        )

    return Policy(Version="2012-10-17", Id="key-default-1",
                  Statement=statements)
github waterbear-cloud / paco / src / paco / cftemplates / iam_users.py View on Github external
Resource=['arn:aws:iam::*:user/{}'.format(iam_user.username)]
                            ),
                            Statement(
                                Sid='AllowManageOwnVirtualMFADevice',
                                Effect=Allow,
                                Action=[
                                    Action('iam', 'CreateVirtualMFADevice'),
                                    Action('iam', 'DeleteVirtualMFADevice'),
                                ],
                                Resource=['arn:aws:iam::*:mfa/{}'.format(iam_user.username)]
                            ),
                            Statement(
                                Sid='AllowManageOwnUserMFA',
                                Effect=Allow,
                                Action=[
                                    Action('iam', 'DeactivateMFADevice'),
                                    Action('iam', 'EnableMFADevice'),
                                    Action('iam', 'ListMFADevices'),
                                    Action('iam', 'ResyncMFADevice'),
                                ],
                                Resource=['arn:aws:iam::*:user/{}'.format(iam_user.username)]
                            ),
                            Statement(
                                Sid='DenyAllExceptListedIfNoMFA',
                                Effect=Deny,
                                NotAction=[
                                    Action('iam', 'CreateVirtualMFADevice'),
                                    Action('iam', 'EnableMFADevice'),
                                    Action('iam', 'ChangePassword'),
                                    Action('iam', 'GetUser'),
                                    Action('iam', 'ListMFADevices'),
                                    Action('iam', 'ListVirtualMFADevices'),