From 2e4822fcd510703cd2f93e2925d27d994d9c3991 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 8 Nov 2023 22:50:50 -0800 Subject: [PATCH 1/5] Add permission for 5 waf-regional APIs --- README.md | 7 ++++++- main.tf | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 66fde2f..dd49856 100644 --- a/README.md +++ b/README.md @@ -134,4 +134,9 @@ The audit policy is comprised of the following permissions: | | apigatewayv2:GetRoute | | | | apigatewayv2:GetRouteResponses | | | | apigatewayv2:GetStages | | -| | apigatewayv2:GetVpcLinks | | \ No newline at end of file +| | apigatewayv2:GetVpcLinks | | +| WAF-REGIONAL | waf-regional:ListRules | * | +| | waf-regional:GetRule | | +| | waf-regional:ListRuleGroups | | +| | waf-regional:GetRuleGroup | | +| | waf-regional:ListActivatedRuleInRuleGroup | | \ No newline at end of file diff --git a/main.tf b/main.tf index d0951a7..f17e332 100644 --- a/main.tf +++ b/main.tf @@ -134,6 +134,16 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "apigatewayv2:GetVpcLinks"] resources = ["*"] } + statement { + sid = "WAF-REGIONAL" + actions = ["waf-regional:ListRules", + "waf-regional:GetRule", + "waf-regional:ListRuleGroups", + "waf-regional:GetRuleGroup", + "waf-regional:ListActivatedRuleInRuleGroup" + ] + resources = ["*"] + } } resource "aws_iam_policy" "lacework_audit_policy" { From e863c4a05c46cce6e929c5ebd8a820a7914a98ac Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Thu, 9 Nov 2023 12:42:40 -0800 Subject: [PATCH 2/5] change one typo --- README.md | 2 +- main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dd49856..ac9cd73 100644 --- a/README.md +++ b/README.md @@ -139,4 +139,4 @@ The audit policy is comprised of the following permissions: | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | | | waf-regional:GetRuleGroup | | -| | waf-regional:ListActivatedRuleInRuleGroup | | \ No newline at end of file +| | waf-regional:ListActivatedRulesInRuleGroup | | \ No newline at end of file diff --git a/main.tf b/main.tf index f17e332..6fda53c 100644 --- a/main.tf +++ b/main.tf @@ -140,7 +140,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "waf-regional:GetRule", "waf-regional:ListRuleGroups", "waf-regional:GetRuleGroup", - "waf-regional:ListActivatedRuleInRuleGroup" + "waf-regional:ListActivatedRulesInRuleGroup" ] resources = ["*"] } From fc7ce9a38b620649a0df887d8dc9fb534459b37b Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Thu, 9 Nov 2023 14:39:04 -0800 Subject: [PATCH 3/5] fixformat --- main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 6fda53c..cdb6b33 100644 --- a/main.tf +++ b/main.tf @@ -140,8 +140,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "waf-regional:GetRule", "waf-regional:ListRuleGroups", "waf-regional:GetRuleGroup", - "waf-regional:ListActivatedRulesInRuleGroup" - ] + "waf-regional:ListActivatedRulesInRuleGroup"] resources = ["*"] } } From aa92f961f3b607fb5e466d2a198e616d7303d7f2 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Thu, 9 Nov 2023 16:38:29 -0800 Subject: [PATCH 4/5] remove - --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index cdb6b33..a8af898 100644 --- a/main.tf +++ b/main.tf @@ -135,7 +135,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } statement { - sid = "WAF-REGIONAL" + sid = "WAFREGIONAL" actions = ["waf-regional:ListRules", "waf-regional:GetRule", "waf-regional:ListRuleGroups", From 9d11199d3d45313047da1c6607602f3bc6b486c9 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Thu, 9 Nov 2023 16:44:08 -0800 Subject: [PATCH 5/5] updateReadme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac9cd73..4eb7dca 100644 --- a/README.md +++ b/README.md @@ -135,7 +135,7 @@ The audit policy is comprised of the following permissions: | | apigatewayv2:GetRouteResponses | | | | apigatewayv2:GetStages | | | | apigatewayv2:GetVpcLinks | | -| WAF-REGIONAL | waf-regional:ListRules | * | +| WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | | | waf-regional:GetRuleGroup | |