IAM Policies
Políticas e permissões IAM.
Princípio: Least Privilege
Conceda apenas permissões necessárias, nada mais.
Lambda Execution Roles
Basic Lambda Role
Resources:
UserFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: DatabaseAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref DatabaseSecret
SAM Policy Templates
UserFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
# Secrets Manager
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: !Ref DatabaseSecret
# DynamoDB
- DynamoDBCrudPolicy:
TableName: !Ref UsersTable
# SQS
- SQSSendMessagePolicy:
QueueName: !GetAtt EventsQueue.QueueName
# S3
- S3CrudPolicy:
BucketName: !Ref UploadsBucket
# SNS
- SNSPublishMessagePolicy:
TopicName: !GetAtt UpdatesTopic.TopicName
# Custom policy
- Statement:
- Effect: Allow
Action:
- rds:CreateDBSnapshot
Resource: '*'
GitHub Actions Role
Para CI/CD via OIDC:
GitHubActionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: GitHubActionsDeployRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: !Sub 'arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
token.actions.githubusercontent.com:aud: sts.amazonaws.com
StringLike:
token.actions.githubusercontent.com:sub: 'repo:seu-org/backend-api:*'
Policies:
- PolicyName: DeploymentPermissions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cloudformation:*
- s3:*
- lambda:*
- apigateway:*
- iam:GetRole
- iam:PassRole
- logs:*
- rds:CreateDBSnapshot
Resource: '*'
User Permissions
Developer
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:InvokeFunction",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::app-*-staging/*"
}
]
}
Admin (Read-only Production)
{
"Effect": "Allow",
"Action": [
"cloudwatch:Get*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"logs:Get*",
"logs:Describe*",
"logs:FilterLogEvents",
"lambda:Get*",
"lambda:List*",
"rds:Describe*"
],
"Resource": "*"
}
Service Control Policies (SCPs)
Prevent Public S3 Buckets
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:PutBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock"
],
"Resource": "*",
"Condition": {
"Bool": {
"s3:BlockPublicAcls": "false"
}
}
}
]
}
Audit
CloudTrail
- Todas as chamadas de API AWS são logadas
- Retention: 90 dias
- Exportar para S3 para longo prazo
Access Analyzer
Best Practices
- ✅ Least privilege sempre
- ✅ Usar roles, não access keys
- ✅ MFA para humanos
- ✅ Rotacionar credentials
- ✅ Audit regular
- ❌ Nunca usar root account
- ❌ Nunca compartilhar credentials