Merge pull request #14 from architlatkar27/DWX-17678

roohisyeda · web-flow · commit e499810b0ea7 · 2024-04-25T09:06:13.000-07:00
DWX-17678: Add iam:TagRole to restricted mode
diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5
@@ -251,6 +251,20 @@
           "aws:CalledVia": "cloudformation.amazonaws.com"
         }
       }
+    },
+    {
+      "Sid": "TagRoleRestriction",
+      "Effect": "Allow",
+      "Action": [
+        // used by Cloudformation to tag EKSServiceRole and NodeInstanceRole
+        "iam:TagRole"
+      ],
+      "Resource": "*",
+      "Condition": {
+          "ForAnyValue:StringEquals": {
+            "aws:CalledVia": "cloudformation.amazonaws.com"
+          }
+      }
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,20 @@`
`251`	`251`	`"aws:CalledVia": "cloudformation.amazonaws.com"`
`252`	`252`	`}`
`253`	`253`	`}`
	`254`	`+ },`
	`255`	`+ {`
	`256`	`+ "Sid": "TagRoleRestriction",`
	`257`	`+ "Effect": "Allow",`
	`258`	`+ "Action": [`
	`259`	`+ // used by Cloudformation to tag EKSServiceRole and NodeInstanceRole`
	`260`	`+ "iam:TagRole"`
	`261`	`+ ],`
	`262`	`+ "Resource": "*",`
	`263`	`+ "Condition": {`
	`264`	`+ "ForAnyValue:StringEquals": {`
	`265`	`+ "aws:CalledVia": "cloudformation.amazonaws.com"`
	`266`	`+ }`
	`267`	`+ }`
`254`	`268`	`}`
`255`	`269`	`]`
`256`	`270`	`}`