Skip to content

Commit

Permalink
Add permissions for services:
Browse files Browse the repository at this point in the history 
memoryDB
qbusiness
resourcegroups
servicecatalogappregistry
oam
clouddirectory
optimizationhub
budgets
billingconsole
  • Loading branch information
@LMAX-iwnf
LMAX-iwnf committed Jan 31, 2025
1 parent 664dfaa commit e215409
Show file tree
Hide file tree
Showing 2 changed files with 264 additions and 22 deletions.
98 changes: 97 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ The audit policy is comprised of the following permissions:
| | ses:ListRecommendations | |
| | ses:ListSuppressedDestinations | |
| | ses:GetSuppressedDestination | |
| | ses:ListTagsForResource | |
| BACKUP | backup:ListBackupJobs | * |
| | backup:DescribeBackupJob | |
| | backup:ListBackupPlanTemplates | |
Expand All @@ -168,6 +169,7 @@ The audit policy is comprised of the following permissions:
| | backup:ListRecoveryPointsByResource | |
| | backup:ListReportPlans | |
| | backup:ListRestoreJobs | |
| | backup:ListTags | |
| COGNITO-IDP | cognito-idp:GetSigningCertificate | |
| | cognito-idp:GetCSVHeader | |
| | cognito-idp:GetUserPoolMfaConfig | |
Expand Down Expand Up @@ -198,6 +200,7 @@ The audit policy is comprised of the following permissions:
| | aps:DescribeWorkspace | |
| | aps:ListRuleGroupsNamespaces | |
| | aps:DescribeRuleGroupsNamespace | |
| | aps:ListTagsForResource | |
| APPSTREAM | appstream:Describe* | |
| | appstream:List* | |
| PERSONALIZE | personalize:Describe* | |
Expand All @@ -215,11 +218,104 @@ The audit policy is comprised of the following permissions:
| | codeartifact:ListPackageVersionDependencies | |
| | codeartifact:ListPackageVersionAssets | |
| | codeartifact:GetPackageVersionAsset | |
| | codeartifact:ListTagsForResource | |
| FIS | fis:ListActions | * |
| | fis:GetAction | |
| | fis:ListExperimentTemplates | |
| | fis:GetExperimentTemplate | |
| | fis:ListTargetAccountConfigurations | |
| | fis:ListExperiments | |
| | fis:GetExperiment | |
| | fis:ListExperimentResolvedTargets | |
| | fis:ListExperimentResolvedTargets | |
| MEMORYDB | memorydb:DescribeMultiRegionClusters | * |
| | memorydb:DescribeSnapshots | |
| | memorydb:DescribeSubnetGroups | |
| | memorydb:DescribeParameterGroups | |
| | memorydb:DescribeParameters | |
| | memorydb:DescribeUsers | |
| | memorydb:DescribeACLs | |
| | memorydb:DescribeServiceUpdates | |
| | memorydb:DescribeEngineVersions | |
| | memorydb:DescribeReservedNodes | |
| | memorydb:DescribeReservedNodesOfferings | |
| | memorydb:ListTags | |
| | memorydb:ListAllowedNodeTypeUpdates | |
| | memorydb:ListAllowedMultiRegionClusterUpdates | |
| QBUSINESS | qbusiness:GetApplication | * |
| | qbusiness:GetChatControlsConfiguration | |
| | qbusiness:GetPolicy | |
| | qbusiness:ListAttachments | |
| | qbusiness:ListConversations | |
| | qbusiness:ListMessages | |
| | qbusiness:ListDataAccessors | |
| | qbusiness:GetDataAccessor | |
| | qbusiness:GetIndex | |
| | qbusiness:GetDataSource | |
| | qbusiness:GetPlugin | |
| | qbusiness:ListPluginActions | |
| | qbusiness:GetRetriever | |
| | qbusiness:GetWebExperience | |
| | qbusiness:ListPluginTypeMetadata | |
| | qbusiness:ListPluginTypeActions | |
| RESOURCEGROUPS | resource-groups:ListGroups | * |
| | resource-groups:GetGroupQuery | |
| | resource-groups:GetGroupConfiguration | |
| SERVICECATALOGAPPREGISTRY | servicecatalog:GetApplication | * |
| | servicecatalog:ListApplications | |
| | servicecatalog:GetAssociatedResource | |
| | servicecatalog:ListAssociatedResources | |
| | servicecatalog:ListAssociatedAttributeGroups | |
| | servicecatalog:GetAttributeGroup | |
| | servicecatalog:ListAttributeGroups | |
| | servicecatalog:ListTagsForResource | |
| | servicecatalog:ListAttributeGroupsForApplication | |
| | servicecatalog:GetConfiguration | |
| OAM | oam:GetLink | * |
| | oam:GetSink | |
| | oam:GetSinkPolicy | |
| | oam:ListAttachedLinks | |
| | oam:ListLinks | |
| | oam:ListSinks | |
| CLOUDDIRECTORY | clouddirectory:GetAppliedSchemaVersion | * |
| | clouddirectory:GetDirectory | |
| | clouddirectory:GetFacet | |
| | clouddirectory:GetLinkAttributes | |
| | clouddirectory:GetObjectAttributes | |
| | clouddirectory:GetObjectInformation | |
| | clouddirectory:GetSchemaAsJson | |
| | clouddirectory:GetTypedLinkFacetInformation | |
| | clouddirectory:ListAppliedSchemaArns | |
| | clouddirectory:ListAttachedIndices | |
| | clouddirectory:ListDevelopmentSchemaArns | |
| | clouddirectory:ListFacetAttributes | |
| | clouddirectory:ListFacetNames | |
| | clouddirectory:ListIncomingTypedLinks | |
| | clouddirectory:ListIndex | |
| | clouddirectory:ListManagedSchemaArns | |
| | clouddirectory:ListObjectAttributes | |
| | clouddirectory:ListObjectChildren | |
| | clouddirectory:ListObjectParentPaths | |
| | clouddirectory:ListObjectParents | |
| | clouddirectory:ListObjectPolicies | |
| | clouddirectory:ListOutgoingTypedLinks | |
| | clouddirectory:ListPolicyAttachments | |
| | clouddirectory:ListPublishedSchemaArns | |
| | clouddirectory:ListTagsForResource | |
| | clouddirectory:ListTypedLinkFacetAttributes | |
| | clouddirectory:ListTypedLinkFacetNames | |
| COSTOPTIMIZATIONHUB | cost-optimization-hub:GetPreferences | * |
| | cost-optimization-hub:GetRecommendation | |
| | cost-optimization-hub:ListEnrollmentStatuses | |
| | cost-optimization-hub:ListRecommendationSummaries | |
| | cost-optimization-hub:ListRecommendations | |
| BUDGETS | budgets:DescribeBudgetAction | * |
| | budgets:DescribeBudgetActionHistories | |
| | budgets:DescribeBudgetActionsForAccount | |
| | budgets:DescribeBudgetActionsForBudget | |
| | budgets:ListTagsForResource | |
| | budgets:ViewBudget | |
| BILLINGCONSOLE | aws-portal:GetConsoleActionSetEnforced | * |
| | aws-portal :ViewAccount | |
| | aws-portal :ViewBilling | |
| | aws-portal :ViewPaymentMethods | |
| | aws-portal :ViewUsage | |
188 changes: 167 additions & 21 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,47 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" {
count = var.use_existing_iam_role_policy ? 0 : 1
version = "2012-10-17"

statement {
sid = "KINESISVIDEO"
actions = ["kinesisvideo:GetSignalingChannelEndpoint",
"kinesisvideo:GetDataEndpoint",
"kinesisvideo:DescribeImageGenerationConfiguration",
]
resources = ["*"]
}

statement {
sid = "AMP"
actions = ["aps:ListScrapers",
"aps:DescribeScraper",
"aps:ListWorkspaces",
"aps:DescribeAlertManagerDefinition",
"aps:DescribeLoggingConfiguration",
"aps:DescribeWorkspace",
"aps:ListRuleGroupsNamespaces",
"aps:DescribeRuleGroupsNamespace",
"aps:ListTagsForResource",
]
resources = ["*"]
}

statement {
sid = "APPSTREAM"
actions = ["appstream:Describe*",
"appstream:List*",
]
resources = ["*"]
}

statement {
sid = "PERSONALIZE"
actions = ["personalize:Describe*",
"personalize:List*",
"personalize:GetSolutionMetrics",
]
resources = ["*"]
}

statement {
sid = "CODEARTIFACT"
actions = ["codeartifact:ListDomains",
Expand Down Expand Up @@ -286,42 +327,147 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" {
}

statement {
sid = "KINESISVIDEO"
actions = ["kinesisvideo:GetSignalingChannelEndpoint",
"kinesisvideo:GetDataEndpoint",
"kinesisvideo:DescribeImageGenerationConfiguration",
sid = "MEMORYDB"
actions = ["memorydb:DescribeMultiRegionClusters",
"memorydb:DescribeSnapshots",
"memorydb:DescribeSubnetGroups",
"memorydb:DescribeParameterGroups",
"memorydb:DescribeParameters",
"memorydb:DescribeUsers",
"memorydb:DescribeACLs",
"memorydb:DescribeServiceUpdates",
"memorydb:DescribeEngineVersions",
"memorydb:DescribeReservedNodes",
"memorydb:DescribeReservedNodesOfferings",
"memorydb:ListTags",
"memorydb:ListAllowedNodeTypeUpdates",
"memorydb:ListAllowedMultiRegionClusterUpdates",
]
resources = ["*"]
}

statement {
sid = "AMP"
actions = ["aps:ListScrapers",
"aps:DescribeScraper",
"aps:ListWorkspaces",
"aps:DescribeAlertManagerDefinition",
"aps:DescribeLoggingConfiguration",
"aps:DescribeWorkspace",
"aps:ListRuleGroupsNamespaces",
"aps:DescribeRuleGroupsNamespace",
"aps:ListTagsForResource",
sid = "QBUSINESS"
actions = ["qbusiness:GetApplication",
"qbusiness:GetChatControlsConfiguration",
"qbusiness:GetPolicy",
"qbusiness:ListAttachments",
"qbusiness:ListConversations",
"qbusiness:ListMessages",
"qbusiness:ListDataAccessors",
"qbusiness:GetDataAccessor",
"qbusiness:GetIndex",
"qbusiness:GetDataSource",
"qbusiness:GetPlugin",
"qbusiness:ListPluginActions",
"qbusiness:GetRetriever",
"qbusiness:GetWebExperience",
"qbusiness:ListPluginTypeMetadata",
"qbusiness:ListPluginTypeActions",
]
resources = ["*"]
}

statement {
sid = "APPSTREAM"
actions = ["appstream:Describe*",
"appstream:List*",
sid = "RESOURCEGROUPS"
actions = ["resource-groups:ListGroups",
"resource-groups:GetGroupQuery",
"resource-groups:GetGroupConfiguration",
]
resources = ["*"]
}

statement {
sid = "PERSONALIZE"
actions = ["personalize:Describe*",
"personalize:List*",
"personalize:GetSolutionMetrics",
sid = "SERVICECATALOGAPPREGISTRY"
actions = ["servicecatalog:GetApplication",
"servicecatalog:ListApplications",
"servicecatalog:GetAssociatedResource",
"servicecatalog:ListAssociatedResources",
"servicecatalog:ListAssociatedAttributeGroups",
"servicecatalog:GetAttributeGroup",
"servicecatalog:ListAttributeGroups",
"servicecatalog:ListTagsForResource",
"servicecatalog:ListAttributeGroupsForApplication",
"servicecatalog:GetConfiguration"
]
resources = ["*"]
}

statement {
sid = "OAM"
actions = ["oam:GetLink",
"oam:GetSink",
"oam:GetSinkPolicy",
"oam:ListAttachedLinks",
"oam:ListLinks",
"oam:ListSinks",
]
resources = ["*"]
}

statement {
sid = "CLOUDDIRECTORY"
actions = ["clouddirectory:GetAppliedSchemaVersion",
"clouddirectory:GetDirectory",
"clouddirectory:GetFacet",
"clouddirectory:GetLinkAttributes",
"clouddirectory:GetObjectAttributes",
"clouddirectory:GetObjectInformation",
"clouddirectory:GetSchemaAsJson",
"clouddirectory:GetTypedLinkFacetInformation",
"clouddirectory:ListAppliedSchemaArns",
"clouddirectory:ListAttachedIndices",
"clouddirectory:ListDevelopmentSchemaArns",
"clouddirectory:ListFacetAttributes",
"clouddirectory:ListFacetNames",
"clouddirectory:ListIncomingTypedLinks",
"clouddirectory:ListIndex",
"clouddirectory:ListManagedSchemaArns",
"clouddirectory:ListObjectAttributes",
"clouddirectory:ListObjectChildren",
"clouddirectory:ListObjectParentPaths",
"clouddirectory:ListObjectParents",
"clouddirectory:ListObjectPolicies",
"clouddirectory:ListOutgoingTypedLinks",
"clouddirectory:ListPolicyAttachments",
"clouddirectory:ListPublishedSchemaArns",
"clouddirectory:ListTagsForResource",
"clouddirectory:ListTypedLinkFacetAttributes",
"clouddirectory:ListTypedLinkFacetNames",
]
resources = ["*"]
}

statement {
sid = "COSTOPTIMIZATIONHUB"
actions = ["cost-optimization-hub:GetPreferences",
"cost-optimization-hub:GetRecommendation",
"cost-optimization-hub:ListEnrollmentStatuses",
"cost-optimization-hub:ListRecommendationSummaries",
"cost-optimization-hub:ListRecommendations",
]
resources = ["*"]
}

statement {
sid = "BUDGETS"
actions = ["budgets:DescribeBudgetAction",
"budgets:DescribeBudgetActionHistories",
"budgets:DescribeBudgetActionsForAccount",
"budgets:DescribeBudgetActionsForBudget",
"budgets:ListTagsForResource",
"budgets:ViewBudget",
]
resources = ["*"]
}

statement {
sid = "BILLINGCONSOLE"
actions = ["aws-portal:GetConsoleActionSetEnforced",
"aws-portal:ViewAccount",
"aws-portal:ViewBilling",
"aws-portal:ViewPaymentMethods",
"aws-portal:ViewUsage",
]
resources = ["*"]
}
Expand Down

0 comments on commit e215409

Please sign in to comment.