Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(RAIN-91433): Add permission for get-api-keys in apigateway and apigatewayv2 #87

Merged
merged 7 commits into from
Dec 20, 2023
Merged

feat(RAIN-91433): Add permission for get-api-keys in apigateway and apigatewayv2 #87

merged 7 commits into from
Dec 20, 2023

Conversation

jjzhangjjzhang
Copy link
Contributor

@jjzhangjjzhang jjzhangjjzhang commented Dec 13, 2023
edited
Loading

Summary

We do not have permission for get-api-keys in apigateway and apigatewayv2.
In this PR, we are adding permissions for this API.
First of all, apigateway and apigatewayv2 are controlled by the same iam actions.
In securityAudit, it actually has permissions for get APi for apigateway and apigatewayv2, but not for resource get-api-keys

How did you test this change?

Verified that the error is access denied without the change.
With this PR on the terraform change, access denied is gone.
Detail test is here https://docs.google.com/document/d/1eQowgxHJ6JXQdMx3oMI5usrI-TvqXq6iw3sm9AqsJp0/edit

Issue

https://lacework.atlassian.net/browse/RAIN-91433

@jjzhangjjzhang jjzhangjjzhang changed the title apigateway permission feat(RAIN-91433): Add permission for get-api-keys in apigateway and apigatewayv2 Dec 13, 2023
@jjzhangjjzhang jjzhangjjzhang marked this pull request as ready for review December 13, 2023 19:40
jjzhangjjzhang
jjzhangjjzhang commented Dec 14, 2023
View reviewed changes
main.tf
"apigateway:GetVpcLinks"]
resources = ["*"]
actions = ["apigateway:GET"]
resources = ["arn:aws:apigateway:*::/apikeys", "arn:aws:apigateway:*::/apikeys/*"]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested it with the change. both "::/apikeys" and ":::/apikeys/*" are needed

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resources = ["*"]

Why not keep it consistent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the conversation. Tasos mentioned about least priviledge rule. https://lacework.slack.com/archives/C01SW6S3NQY/p1702501578650959

@jjzhangjjzhang jjzhangjjzhang merged commit 6e4c28f into main Dec 20, 2023
1 check passed
@jjzhangjjzhang jjzhangjjzhang deleted the apigateway branch December 20, 2023 06:16
@lacework-releng lacework-releng mentioned this pull request Jan 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramgudivada-lacework ramgudivada-lacework ramgudivada-lacework approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jjzhangjjzhang @ramgudivada-lacework