Amazon Web Services (AWS)¶
There are two users:
An operational user, used by the application
An administrative user, used by consultants
CloudWatch¶
Safe permissions¶
Only the administrative user has these.
cloudwatch:ListMetrics
cloudwatch:GetMetricData
CloudWatch Logs¶
Only the administrative user has these. This builds on the IAM policy example:
Log groups
logs:CreateLogGroup (added)
logs:DescribeLogGroups
logs:DeleteLogGroup (added)
Log streams
logs:CreateLogStream
logs:DescribeLogStreams (added)
logs:DeleteLogStream (added)
Log deliveries
logs:CreateLogDelivery
logs:ListLogDeliveries
logs:GetLogDelivery
logs:UpdateLogDelivery
logs:DeleteLogDelivery
Log events
logs:PutLogEvents
logs:GetLogEvents (added)
logs:FilterLogEvents (added)
Resource policies
logs:PutResourcePolicy
logs:DescribeResourcePolicies
logs:DeleteResourcePolicy (added)
Cognito¶
The operational user has access to the development and production user pools. The administrative user has access to the development user pool only. All permissions are unsafe.
cognito-idp:AdminCreateUser
cognito-idp:AdminSetUserPassword
cognito-idp:AdminResetUserPassword
cognito-idp:AdminUpdateUserAttributes
cognito-idp:AdminInitiateAuth
cognito-idp:AdminUserGlobalSignOut
Simple Email Service (SES)¶
Configuration sets¶
Only the administrative user has these.
Safe permissions¶
ses:ListConfigurationSets
ses:GetConfigurationSet
ses:GetConfigurationSetEventDestinations
Unsafe permissions¶
This follows Monitor email sending using Amazon SES event publishing:
Configuration sets (Step 1)
ses:CreateConfigurationSet
ses:DeleteConfigurationSet (added)
ses:TagResource (added, required to create configuration set)
Destinations (Step 2, linking to permissions)
ses:CreateConfigurationSetEventDestination
ses:UpdateConfigurationSetEventDestination
ses:DeleteConfigurationSetEventDestination
Templates¶
Safe permissions¶
Both users have:
ses:ListTemplates
ses:GetTemplate
ses:TestRenderTemplate
Unsafe permissions¶
Only the administrative user has:
ses:CreateTemplate
ses:UpdateTemplate
ses:DeleteTemplate
Sending¶
Unsafe permissions¶
Both users have:
ses:SendEmail
ses:SendRawEmail
Both users have these, which are constrained to credere-*
templates, the credere
configuration set and the credere@noreply.open-contracting.org
identity:
ses:SendTemplatedEmail
ses:SendBulkTemplatedEmail