--- AWSTemplateFormatVersion: 2010-09-09 Description: Provides the base security, IAM, and access configuration for the AWS account Resources: rSysAdminGroup: Type: AWS::IAM::Group Properties: Path: / rSysAdminRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole rSysAdminPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow NotAction: iam:* Resource: '*' Condition: Bool: aws:MultiFactorAuthPresent: true - Effect: Deny Action: aws-portal:*Billing Resource: '*' - Effect: Deny Action: - cloudtrail:DeleteTrail - cloudtrail:StopLogging - cloudtrail:UpdateTrail Resource: '*' - Effect: Deny Action: - kms:Create* - kms:Revoke* - kms:Enable* - kms:Get* - kms:Disable* - kms:Delete* - kms:Put* - kms:Update* Resource: '*' Roles: - !Ref rSysAdminRole Groups: - !Ref rSysAdminGroup rIAMAdminGroup: Type: AWS::IAM::Group Properties: Path: / rIAMAdminRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole rIAMAdminPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: iam:* Resource: '*' Condition: Bool: aws:MultiFactorAuthPresent: true - Effect: Deny Action: aws-portal:*Billing Resource: '*' Roles: - !Ref rIAMAdminRole Groups: - !Ref rIAMAdminGroup rInstanceOpsGroup: Type: AWS::IAM::Group Properties: Path: / rInstanceOpsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole rInstanceOpsPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Action: ec2:* Effect: Allow Resource: '*' - Effect: Allow Action: elasticloadbalancing:* Resource: '*' - Effect: Allow Action: cloudwatch:* Resource: '*' - Effect: Allow Action: autoscaling:* Resource: '*' - Effect: Deny Action: - ec2:CreateVpc* - ec2:DeleteVpc* - ec2:ModifyVpc* - ec2:CreateSubnet* - ec2:DeleteSubnet* - ec2:ModifySubnet* - ec2:Create*Route* - ec2:DeleteRoute* - ec2:AssociateRoute* - ec2:ReplaceRoute* - ec2:CreateVpn* - ec2:DeleteVpn* - ec2:AttachVpn* - ec2:DetachVpn* - ec2:CreateNetworkAcl* - ec2:DeleteNetworkAcl* - ec2:ReplaceNetworkAcl* - ec2:*Gateway* - ec2:*PeeringConnection* Resource: '*' - Effect: Deny Action: aws-portal:*Billing Resource: '*' - Effect: Deny Action: - kms:Create* - kms:Revoke* - kms:Enable* - kms:Get* - kms:Disable* - kms:Delete* - kms:Put* - kms:Update* Resource: '*' Roles: - !Ref rInstanceOpsRole Groups: - !Ref rInstanceOpsGroup rReadOnlyGroup: Type: AWS::IAM::Group Properties: Path: / rReadOnlyRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess rReadOnlyBillingGroup: Type: AWS::IAM::Group Properties: Path: / rReadOnlyBillingPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: aws-portal:View* Resource: '*' - Effect: Deny Action: aws-portal:*Account Resource: '*' Groups: - !Ref rReadOnlyBillingGroup Outputs: rSysAdminGroup: Value: !Ref rSysAdminGroup rIAMAdminGroup: Value: !Ref rIAMAdminGroup rInstanceOpsGroup: Value: !Ref rInstanceOpsGroup rReadOnlyBillingGroup: Value: !Ref rReadOnlyBillingGroup rReadOnlyGroup: Value: !Ref rReadOnlyGroup rSysAdminRole: Value: !Ref rSysAdminRole