ansible/hacking/aws_config/testing_policies/security-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetGroup",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroups",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:ListUsers",
                "iam:ListAccountAliases"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowReadOnlyIAMUse"
        },
        {
            "Sid": "AllowWAFusage",
            "Action": "waf:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowListingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
            ]
        },
        {
            "Sid": "AllowModifyingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy",
                "logs:DeleteLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
            ]
        }
    ]
}
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": [`
Improve iam_group exception handling (#45599) * Improve iam_group exception handling Use AnsibleAWSModule for iam_group and handle BotoCoreErrors as well as ClientErrors. Use fail_json_aws to improve error messages * Add minimal iam_group test suite Update some of the read-only IAM permissions (this is not sufficient to run the test suite but it gets further than it did until it tries to add a (non-existent) user) * Clean up after tests 6 years ago			`"iam:GetGroup",`
sns_topic boto3 port (#39292) * Port sns_topic to boto3 and add tests 6 years ago			`"iam:GetInstanceProfile",`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`"iam:GetPolicy",`
			`"iam:GetPolicyVersion",`
			`"iam:GetRole",`
sns_topic boto3 port (#39292) * Port sns_topic to boto3 and add tests 6 years ago			`"iam:GetRolePolicy",`
Improve iam_group exception handling (#45599) * Improve iam_group exception handling Use AnsibleAWSModule for iam_group and handle BotoCoreErrors as well as ClientErrors. Use fail_json_aws to improve error messages * Add minimal iam_group test suite Update some of the read-only IAM permissions (this is not sufficient to run the test suite but it gets further than it did until it tries to add a (non-existent) user) * Clean up after tests 6 years ago			`"iam:GetUser",`
			`"iam:ListAttachedGroupPolicies",`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`"iam:ListAttachedRolePolicies",`
Improve iam_group exception handling (#45599) * Improve iam_group exception handling Use AnsibleAWSModule for iam_group and handle BotoCoreErrors as well as ClientErrors. Use fail_json_aws to improve error messages * Add minimal iam_group test suite Update some of the read-only IAM permissions (this is not sufficient to run the test suite but it gets further than it did until it tries to add a (non-existent) user) * Clean up after tests 6 years ago			`"iam:ListAttachedUserPolicies",`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`"iam:ListGroups",`
sns_topic boto3 port (#39292) * Port sns_topic to boto3 and add tests 6 years ago			`"iam:ListInstanceProfiles",`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`"iam:ListInstanceProfilesForRole",`
			`"iam:ListPolicies",`
			`"iam:ListRoles",`
			`"iam:ListRolePolicies",`
added account_alias in the response of module aws_caller_facts (#42345) * added account_alias in the response of module aws_caller_facts * added comment to explain list_account_aliases * renamed caller_identity to caller_facts as the content is extended * created changelog * security-policy needs the iam:ListAccountAliases for this module to work * test now checks for the added field account_alias * gracefully handle missing iam:ListAccountAliases permission 6 years ago			`"iam:ListUsers",`
			`"iam:ListAccountAliases"`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`],`
			`"Resource": "*",`
			`"Effect": "Allow",`
			`"Sid": "AllowReadOnlyIAMUse"`
Add new aws_waf_condition module (#33110) 7 years ago			`},`
			`{`
			`"Sid": "AllowWAFusage",`
			`"Action": "waf:*",`
			`"Effect": "Allow",`
			`"Resource": "*"`
[AWS] ses rule set module for inbound email processing (#42781) * Add module ses_rule_set for Amazon SES * Update behaviours and naming to be consistent with other aws_ses_ modules. * Add global lock around tests using active rule sets to prevent intermittent test failures. * Fix deletion of rule sets so that we don't inactivate the active rule set when force deleting an inactive rule set. 6 years ago			`},`
			`{`
			`"Sid": "AllowListingCloudwatchLogs",`
			`"Effect": "Allow",`
			`"Action": [`
			`"logs:DescribeLogGroups"`
			`],`
			`"Resource": [`
			`"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"`
			`]`
			`},`
			`{`
			`"Sid": "AllowModifyingCloudwatchLogs",`
			`"Effect": "Allow",`
			`"Action": [`
			`"logs:CreateLogGroup",`
			`"logs:PutRetentionPolicy",`
			`"logs:DeleteLogGroup"`
			`],`
			`"Resource": [`
			`"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"`
			`]`
[cloud] Create ECS integration test suite (#33757) Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies 7 years ago			`}`
			`]`
			`}`