Skip to content

Commit

Permalink
feat: Add ReadOnly access to SSO APIs (#69)
Browse files Browse the repository at this point in the history
  • Loading branch information
@theopolis
theopolis authored Jun 29, 2023
1 parent ae70a06 commit fc891e2
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 22 deletions.
47 changes: 25 additions & 22 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,25 +55,28 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources.
The audit policy is comprised of the following permissions:

| sid | actions | resources |
| -------------------------- | --------------------------------------------------- | --------- |
| GetEbsEncryptionByDefault | ec2:GetEbsEncryptionByDefault | * |
| GetBucketPublicAccessBlock | s3:GetBucketPublicAccessBlock | * |
| EFS | elasticfilesystem:DescribeFileSystemPolicy | * |
| | elasticfilesystem:DescribeLifecycleConfiguration | |
| | elasticfilesystem:DescribeAccessPoints | |
| | elasticfilesystem:DescribeAccountPreferences | |
| | elasticfilesystem:DescribeBackupPolicy | |
| | elasticfilesystem:DescribeReplicationConfigurations | |
| EMR | elasticmapreduce:ListBootstrapActions | * |
| | elasticmapreduce:ListInstanceFleets | |
| | elasticmapreduce:ListInstanceGroups | |
| SAGEMAKER | sagemaker:GetModelPackageGroupPolicy | * |
| | sagemaker:GetLineageGroupPolicy | |
| IDENTITYSTORE | identitystore:DescribeGroup | * |
| | identitystore:DescribeGroupMembership | |
| | identitystore:DescribeUser | |
| | identitystore:ListGroupMemberships | |
| | identitystore:ListGroupMembershipsForMember | |
| | identitystore:ListGroups | |
| | identitystore:ListUsers | |
| sid | actions | resources |
| -------------------------- | ------------------------------------------------------- | --------- |
| GetEbsEncryptionByDefault | ec2:GetEbsEncryptionByDefault | * |
| GetBucketPublicAccessBlock | s3:GetBucketPublicAccessBlock | * |
| EFS | elasticfilesystem:DescribeFileSystemPolicy | * |
| | elasticfilesystem:DescribeLifecycleConfiguration | |
| | elasticfilesystem:DescribeAccessPoints | |
| | elasticfilesystem:DescribeAccountPreferences | |
| | elasticfilesystem:DescribeBackupPolicy | |
| | elasticfilesystem:DescribeReplicationConfigurations | |
| EMR | elasticmapreduce:ListBootstrapActions | * |
| | elasticmapreduce:ListInstanceFleets | |
| | elasticmapreduce:ListInstanceGroups | |
| SAGEMAKER | sagemaker:GetModelPackageGroupPolicy | * |
| | sagemaker:GetLineageGroupPolicy | |
| IDENTITYSTORE | identitystore:DescribeGroup | * |
| | identitystore:DescribeGroupMembership | |
| | identitystore:DescribeUser | |
| | identitystore:ListGroupMemberships | |
| | identitystore:ListGroupMembershipsForMember | |
| | identitystore:ListGroups | |
| | identitystore:ListUsers | |
| SSO | sso:DescribeAccountAssignmentDeletionStatus | * |
| | sso:DescribeInstanceAccessControlAttributeConfiguration | |
| | sso:GetInlinePolicyForPermissionSet | |
8 changes: 8 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
"identitystore:ListUsers"]
resources = ["*"]
}

statement {
sid = "SSO"
actions = ["sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribeInstanceAccessControlAttributeConfiguration",
"sso:GetInlinePolicyForPermissionSet"]
resources = ["*"]
}
}

resource "aws_iam_policy" "lacework_audit_policy" {
Expand Down

0 comments on commit fc891e2

Please sign in to comment.