in cdk/lib/amigo.ts [36:108]
private get appPolicy(): Policy {
return new Policy(this, "AppPolicy", {
policyName: "app-policy",
statements: [
/*
Permissions to enable listing of installed packages created during a bake
See https://github.com/guardian/amigo/pull/395
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["s3:GetObject"],
resources: [`${this.dataBucket.bucketArn}/*`],
}),
/*
AMIgo uses DynamoDb as a data store.
The permissions are quite wide, mainly because AMIgo creates tables as well as reading/writing data.
See `app/data/Dynamo.scala`
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["dynamodb:ListTables"],
resources: ["*"],
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["dynamodb:*"],
resources: [`arn:aws:dynamodb:*:*:table/amigo-${this.stage}-*`],
}),
/*
Permissions to support encrypted bakes
See https://github.com/guardian/amigo/pull/164
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["sns:ListTopics"],
resources: ["*"],
}),
/*
Permissions to trigger AMI deletion
See https://github.com/guardian/amigo/pull/193
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["sns:*"],
resources: [
`arn:aws:sns:*:*:amigo-${this.stage}-notify`,
`arn:aws:sns:*:*:amigo-${this.stage}-housekeeping-notify`,
],
}),
/*
Allow us to allow other accounts to retrieve the ImageCopier lambda artifact
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["s3:GetBucketPolicy", "s3:PutBucketPolicy"],
resources: [`arn:aws:s3::*:${GuDistributionBucketParameter.getInstance(this).valueAsString}`],
}),
/*
See https://github.com/guardian/amigo/pull/526
*/
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["iam:GetInstanceProfile"],
resources: [this.packerInstanceProfile.valueAsString],
}),
],
});
}