Restrictive Permission Boundaries are achievable while still allowing deployment and operation of your Snowplow pipeline. If you're intending to take this approach as a customer, please reach out to our Support team for assistance.
The example Permission Boundary below has been called SnowplowBoundary and is attached to the SnowplowAdmin / SnowplowDeployment roles. It is used for all deployments in the account.
{
"Statement": [
{
"Action": [
"iam:PutUserPermissionsBoundary",
"iam:PutRolePermissionsBoundary",
"iam:CreateUser",
"iam:CreateRole"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::{Customer Account Id}:policy/SnowplowBoundary"
}
},
"Effect": "Deny",
"Resource": "*",
"Sid": "CreateUsersOrRolesOnlyWithBoundary"
},
{
"Action": "iam:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{Customer Account Id}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowIam"
},
{
"Action": [
"route53resolver:*",
"route53:*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{Customer Account Id}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowR53"
},
{
"Action": [
"iam:UpdateRoleDescription",
"iam:UpdateRole",
"iam:UpdateAssumeRolePolicy",
"iam:UntagRole",
"iam:TagRole",
"iam:PutRolePermissionsBoundary",
"iam:PassRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRole",
"iam:CreateRole"
],
"Effect": "Deny",
"Resource": "arn:aws:iam::{Customer Account Id}:role/SnowplowAdmin",
"Sid": "DenyAdminRoleBoundaryEdit"
},
{
"Action": [
"iam:SetDefaultPolicyVersion",
"iam:DeletePolicyVersion",
"iam:DeletePolicy",
"iam:CreatePolicyVersion"
],
"Effect": "Deny",
"Resource": "arn:aws:iam::{Customer Account Id}:policy/SnowplowBoundary",
"Sid": "DenyBoundaryPolicyEdit"
},
{
"Action": [
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteRolePermissionsBoundary"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::{Customer Account Id}:policy/SnowplowBoundary"
}
},
"Effect": "Deny",
"Resource": "*",
"Sid": "NoRemoveBoundary"
},
{
"Action": [
"wafv2:List*",
"wafv2:Describe*",
"wafv2:Get*",
"support:*",
"ssm:*",
"sqs:*",
"sns:*",
"secretsmanager:TagResource",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy",
"secretsmanager:DescribeSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:CreateSecret",
"servicequotas:*",
"s3:*",
"redshift:*",
"rds:*",
"logs:*",
"lambda:*",
"kms:List*",
"kms:DescribeKey",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ScheduleKeyDeletion",
"kms:CreateAlias",
"kms:TagResource",
"kms:Decrypt",
"sts:AssumeRole",
"tag:GetResources",
"kinesisanalytics:*",
"kinesis:*",
"execute-api:*",
"events:*",
"es:*",
"elasticmapreduce:*",
"elasticloadbalancing:*",
"elasticbeanstalk:*",
"elasticache:*",
"eks:*",
"ecs:*",
"ecr:*",
"ec2:*",
"dynamodb:*",
"cloudwatch:*",
"cloudfront:*",
"cloudformation:*",
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Unsubscribe",
"aws-marketplace:Subscribe",
"autoscaling:*",
"application-autoscaling:*",
"apigateway:*",
"acm:*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"{list of regions that the customer allows the account to access - normally just needs the one being deployed in}"
],
"aws:ResourceAccount": "{Customer Account Id}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "SnowplowAdminActionsAccountAndRegions"
},
{
"Action": "ec2:RunInstances",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"{list of regions that the customer allows the account to access - normally just needs the one being deployed in}"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:{Customer Account Id}:*/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:image/*"
],
"Sid": "SnowplowAdminRunInstances"
},
{
"Action": [
"s3:ListMultipartUploadParts",
"s3:ListBucket*",
"s3:GetObject*",
"s3:GetBucket*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::snowplow-hosted-assets-proprietary-eu-west-1/*",
"arn:aws:s3:::snowplow-hosted-assets-proprietary-eu-west-1",
"arn:aws:s3:::snowplow-hosted-assets-eu-west-1/*",
"arn:aws:s3:::snowplow-hosted-assets-eu-west-1",
"arn:aws:s3:::snowplow-hosted-assets/*",
"arn:aws:s3:::snowplow-hosted-assets"
],
"Sid": "SnowplowAdminListReadTheirBucket"
},
{
"Action": [
"ec2:GetManagedPrefixListEntries",
"ec2:GetManagedPrefixListAssociations"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"{list of regions that the customer allows the account to access - normally just needs the one being deployed in}"
]
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:prefix-list/*",
"Sid": "SnowplowAdminGetEC2Prefix"
},
{
"Action": [
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:policy/*",
"Sid": "SnowplowAdminGetAWSManagedPolicies"
},
{
"Action": "ec2:DescribeImage*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"{list of regions that the customer allows the account to access - normally just needs the one being deployed in}"
]
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "SnowplowAdminListAMIs"
},
{
"Action": [
"sns:*",
"cloudwatch:*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "LimitedUsEast1"
}
],
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"servicequotas:*"
],
"Effect": "Allow",
"Resource": "*"
}
"Version": "2012-10-17"
}