From e2154095631eb8c0aa0b27bd4056a0d9fcb59069 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 30 Jan 2025 16:56:44 -0800 Subject: [PATCH] Add permissions for services: memoryDB qbusiness resourcegroups servicecatalogappregistry oam clouddirectory optimizationhub budgets billingconsole --- README.md | 98 +++++++++++++++++++++++++++- main.tf | 188 ++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 264 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index d7d5a98..9ded790 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,7 @@ The audit policy is comprised of the following permissions: | | ses:ListRecommendations | | | | ses:ListSuppressedDestinations | | | | ses:GetSuppressedDestination | | +| | ses:ListTagsForResource | | | BACKUP | backup:ListBackupJobs | * | | | backup:DescribeBackupJob | | | | backup:ListBackupPlanTemplates | | @@ -168,6 +169,7 @@ The audit policy is comprised of the following permissions: | | backup:ListRecoveryPointsByResource | | | | backup:ListReportPlans | | | | backup:ListRestoreJobs | | +| | backup:ListTags | | | COGNITO-IDP | cognito-idp:GetSigningCertificate | | | | cognito-idp:GetCSVHeader | | | | cognito-idp:GetUserPoolMfaConfig | | @@ -198,6 +200,7 @@ The audit policy is comprised of the following permissions: | | aps:DescribeWorkspace | | | | aps:ListRuleGroupsNamespaces | | | | aps:DescribeRuleGroupsNamespace | | +| | aps:ListTagsForResource | | | APPSTREAM | appstream:Describe* | | | | appstream:List* | | | PERSONALIZE | personalize:Describe* | | @@ -215,6 +218,7 @@ The audit policy is comprised of the following permissions: | | codeartifact:ListPackageVersionDependencies | | | | codeartifact:ListPackageVersionAssets | | | | codeartifact:GetPackageVersionAsset | | +| | codeartifact:ListTagsForResource | | | FIS | fis:ListActions | * | | | fis:GetAction | | | | fis:ListExperimentTemplates | | @@ -222,4 +226,96 @@ The audit policy is comprised of the following permissions: | | fis:ListTargetAccountConfigurations | | | | fis:ListExperiments | | | | fis:GetExperiment | | -| | fis:ListExperimentResolvedTargets | | \ No newline at end of file +| | fis:ListExperimentResolvedTargets | | +| MEMORYDB | memorydb:DescribeMultiRegionClusters | * | +| | memorydb:DescribeSnapshots | | +| | memorydb:DescribeSubnetGroups | | +| | memorydb:DescribeParameterGroups | | +| | memorydb:DescribeParameters | | +| | memorydb:DescribeUsers | | +| | memorydb:DescribeACLs | | +| | memorydb:DescribeServiceUpdates | | +| | memorydb:DescribeEngineVersions | | +| | memorydb:DescribeReservedNodes | | +| | memorydb:DescribeReservedNodesOfferings | | +| | memorydb:ListTags | | +| | memorydb:ListAllowedNodeTypeUpdates | | +| | memorydb:ListAllowedMultiRegionClusterUpdates | | +| QBUSINESS | qbusiness:GetApplication | * | +| | qbusiness:GetChatControlsConfiguration | | +| | qbusiness:GetPolicy | | +| | qbusiness:ListAttachments | | +| | qbusiness:ListConversations | | +| | qbusiness:ListMessages | | +| | qbusiness:ListDataAccessors | | +| | qbusiness:GetDataAccessor | | +| | qbusiness:GetIndex | | +| | qbusiness:GetDataSource | | +| | qbusiness:GetPlugin | | +| | qbusiness:ListPluginActions | | +| | qbusiness:GetRetriever | | +| | qbusiness:GetWebExperience | | +| | qbusiness:ListPluginTypeMetadata | | +| | qbusiness:ListPluginTypeActions | | +| RESOURCEGROUPS | resource-groups:ListGroups | * | +| | resource-groups:GetGroupQuery | | +| | resource-groups:GetGroupConfiguration | | +| SERVICECATALOGAPPREGISTRY | servicecatalog:GetApplication | * | +| | servicecatalog:ListApplications | | +| | servicecatalog:GetAssociatedResource | | +| | servicecatalog:ListAssociatedResources | | +| | servicecatalog:ListAssociatedAttributeGroups | | +| | servicecatalog:GetAttributeGroup | | +| | servicecatalog:ListAttributeGroups | | +| | servicecatalog:ListTagsForResource | | +| | servicecatalog:ListAttributeGroupsForApplication | | +| | servicecatalog:GetConfiguration | | +| OAM | oam:GetLink | * | +| | oam:GetSink | | +| | oam:GetSinkPolicy | | +| | oam:ListAttachedLinks | | +| | oam:ListLinks | | +| | oam:ListSinks | | +| CLOUDDIRECTORY | clouddirectory:GetAppliedSchemaVersion | * | +| | clouddirectory:GetDirectory | | +| | clouddirectory:GetFacet | | +| | clouddirectory:GetLinkAttributes | | +| | clouddirectory:GetObjectAttributes | | +| | clouddirectory:GetObjectInformation | | +| | clouddirectory:GetSchemaAsJson | | +| | clouddirectory:GetTypedLinkFacetInformation | | +| | clouddirectory:ListAppliedSchemaArns | | +| | clouddirectory:ListAttachedIndices | | +| | clouddirectory:ListDevelopmentSchemaArns | | +| | clouddirectory:ListFacetAttributes | | +| | clouddirectory:ListFacetNames | | +| | clouddirectory:ListIncomingTypedLinks | | +| | clouddirectory:ListIndex | | +| | clouddirectory:ListManagedSchemaArns | | +| | clouddirectory:ListObjectAttributes | | +| | clouddirectory:ListObjectChildren | | +| | clouddirectory:ListObjectParentPaths | | +| | clouddirectory:ListObjectParents | | +| | clouddirectory:ListObjectPolicies | | +| | clouddirectory:ListOutgoingTypedLinks | | +| | clouddirectory:ListPolicyAttachments | | +| | clouddirectory:ListPublishedSchemaArns | | +| | clouddirectory:ListTagsForResource | | +| | clouddirectory:ListTypedLinkFacetAttributes | | +| | clouddirectory:ListTypedLinkFacetNames | | +| COSTOPTIMIZATIONHUB | cost-optimization-hub:GetPreferences | * | +| | cost-optimization-hub:GetRecommendation | | +| | cost-optimization-hub:ListEnrollmentStatuses | | +| | cost-optimization-hub:ListRecommendationSummaries | | +| | cost-optimization-hub:ListRecommendations | | +| BUDGETS | budgets:DescribeBudgetAction | * | +| | budgets:DescribeBudgetActionHistories | | +| | budgets:DescribeBudgetActionsForAccount | | +| | budgets:DescribeBudgetActionsForBudget | | +| | budgets:ListTagsForResource | | +| | budgets:ViewBudget | | +| BILLINGCONSOLE | aws-portal:GetConsoleActionSetEnforced | * | +| | aws-portal :ViewAccount | | +| | aws-portal :ViewBilling | | +| | aws-portal :ViewPaymentMethods | | +| | aws-portal :ViewUsage | | \ No newline at end of file diff --git a/main.tf b/main.tf index c45f05f..6eb659e 100644 --- a/main.tf +++ b/main.tf @@ -251,6 +251,47 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { count = var.use_existing_iam_role_policy ? 0 : 1 version = "2012-10-17" + statement { + sid = "KINESISVIDEO" + actions = ["kinesisvideo:GetSignalingChannelEndpoint", + "kinesisvideo:GetDataEndpoint", + "kinesisvideo:DescribeImageGenerationConfiguration", + ] + resources = ["*"] + } + + statement { + sid = "AMP" + actions = ["aps:ListScrapers", + "aps:DescribeScraper", + "aps:ListWorkspaces", + "aps:DescribeAlertManagerDefinition", + "aps:DescribeLoggingConfiguration", + "aps:DescribeWorkspace", + "aps:ListRuleGroupsNamespaces", + "aps:DescribeRuleGroupsNamespace", + "aps:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "APPSTREAM" + actions = ["appstream:Describe*", + "appstream:List*", + ] + resources = ["*"] + } + + statement { + sid = "PERSONALIZE" + actions = ["personalize:Describe*", + "personalize:List*", + "personalize:GetSolutionMetrics", + ] + resources = ["*"] + } + statement { sid = "CODEARTIFACT" actions = ["codeartifact:ListDomains", @@ -286,42 +327,147 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { } statement { - sid = "KINESISVIDEO" - actions = ["kinesisvideo:GetSignalingChannelEndpoint", - "kinesisvideo:GetDataEndpoint", - "kinesisvideo:DescribeImageGenerationConfiguration", + sid = "MEMORYDB" + actions = ["memorydb:DescribeMultiRegionClusters", + "memorydb:DescribeSnapshots", + "memorydb:DescribeSubnetGroups", + "memorydb:DescribeParameterGroups", + "memorydb:DescribeParameters", + "memorydb:DescribeUsers", + "memorydb:DescribeACLs", + "memorydb:DescribeServiceUpdates", + "memorydb:DescribeEngineVersions", + "memorydb:DescribeReservedNodes", + "memorydb:DescribeReservedNodesOfferings", + "memorydb:ListTags", + "memorydb:ListAllowedNodeTypeUpdates", + "memorydb:ListAllowedMultiRegionClusterUpdates", ] resources = ["*"] } statement { - sid = "AMP" - actions = ["aps:ListScrapers", - "aps:DescribeScraper", - "aps:ListWorkspaces", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeWorkspace", - "aps:ListRuleGroupsNamespaces", - "aps:DescribeRuleGroupsNamespace", - "aps:ListTagsForResource", + sid = "QBUSINESS" + actions = ["qbusiness:GetApplication", + "qbusiness:GetChatControlsConfiguration", + "qbusiness:GetPolicy", + "qbusiness:ListAttachments", + "qbusiness:ListConversations", + "qbusiness:ListMessages", + "qbusiness:ListDataAccessors", + "qbusiness:GetDataAccessor", + "qbusiness:GetIndex", + "qbusiness:GetDataSource", + "qbusiness:GetPlugin", + "qbusiness:ListPluginActions", + "qbusiness:GetRetriever", + "qbusiness:GetWebExperience", + "qbusiness:ListPluginTypeMetadata", + "qbusiness:ListPluginTypeActions", ] resources = ["*"] } statement { - sid = "APPSTREAM" - actions = ["appstream:Describe*", - "appstream:List*", + sid = "RESOURCEGROUPS" + actions = ["resource-groups:ListGroups", + "resource-groups:GetGroupQuery", + "resource-groups:GetGroupConfiguration", ] resources = ["*"] } statement { - sid = "PERSONALIZE" - actions = ["personalize:Describe*", - "personalize:List*", - "personalize:GetSolutionMetrics", + sid = "SERVICECATALOGAPPREGISTRY" + actions = ["servicecatalog:GetApplication", + "servicecatalog:ListApplications", + "servicecatalog:GetAssociatedResource", + "servicecatalog:ListAssociatedResources", + "servicecatalog:ListAssociatedAttributeGroups", + "servicecatalog:GetAttributeGroup", + "servicecatalog:ListAttributeGroups", + "servicecatalog:ListTagsForResource", + "servicecatalog:ListAttributeGroupsForApplication", + "servicecatalog:GetConfiguration" + ] + resources = ["*"] + } + + statement { + sid = "OAM" + actions = ["oam:GetLink", + "oam:GetSink", + "oam:GetSinkPolicy", + "oam:ListAttachedLinks", + "oam:ListLinks", + "oam:ListSinks", + ] + resources = ["*"] + } + + statement { + sid = "CLOUDDIRECTORY" + actions = ["clouddirectory:GetAppliedSchemaVersion", + "clouddirectory:GetDirectory", + "clouddirectory:GetFacet", + "clouddirectory:GetLinkAttributes", + "clouddirectory:GetObjectAttributes", + "clouddirectory:GetObjectInformation", + "clouddirectory:GetSchemaAsJson", + "clouddirectory:GetTypedLinkFacetInformation", + "clouddirectory:ListAppliedSchemaArns", + "clouddirectory:ListAttachedIndices", + "clouddirectory:ListDevelopmentSchemaArns", + "clouddirectory:ListFacetAttributes", + "clouddirectory:ListFacetNames", + "clouddirectory:ListIncomingTypedLinks", + "clouddirectory:ListIndex", + "clouddirectory:ListManagedSchemaArns", + "clouddirectory:ListObjectAttributes", + "clouddirectory:ListObjectChildren", + "clouddirectory:ListObjectParentPaths", + "clouddirectory:ListObjectParents", + "clouddirectory:ListObjectPolicies", + "clouddirectory:ListOutgoingTypedLinks", + "clouddirectory:ListPolicyAttachments", + "clouddirectory:ListPublishedSchemaArns", + "clouddirectory:ListTagsForResource", + "clouddirectory:ListTypedLinkFacetAttributes", + "clouddirectory:ListTypedLinkFacetNames", + ] + resources = ["*"] + } + + statement { + sid = "COSTOPTIMIZATIONHUB" + actions = ["cost-optimization-hub:GetPreferences", + "cost-optimization-hub:GetRecommendation", + "cost-optimization-hub:ListEnrollmentStatuses", + "cost-optimization-hub:ListRecommendationSummaries", + "cost-optimization-hub:ListRecommendations", + ] + resources = ["*"] + } + + statement { + sid = "BUDGETS" + actions = ["budgets:DescribeBudgetAction", + "budgets:DescribeBudgetActionHistories", + "budgets:DescribeBudgetActionsForAccount", + "budgets:DescribeBudgetActionsForBudget", + "budgets:ListTagsForResource", + "budgets:ViewBudget", + ] + resources = ["*"] + } + + statement { + sid = "BILLINGCONSOLE" + actions = ["aws-portal:GetConsoleActionSetEnforced", + "aws-portal:ViewAccount", + "aws-portal:ViewBilling", + "aws-portal:ViewPaymentMethods", + "aws-portal:ViewUsage", ] resources = ["*"] }