From 2e01c62c67502c28ada5330f75517cfb031bcaff Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 10:52:52 -0800 Subject: [PATCH 1/7] apigatewayPermission --- README.md | 36 +----------------------------------- main.tf | 46 ++-------------------------------------------- 2 files changed, 3 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index bc7e4c5..ae761f8 100644 --- a/README.md +++ b/README.md @@ -101,41 +101,7 @@ The audit policy is comprised of the following permissions: | SSO | sso:DescribeAccountAssignmentDeletionStatus | * | | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | -| APIGATEWAY | apigateway:GetApiKeys | * | -| | apigateway:GetAuthorizers | | -| | apigateway:GetBasePathMappings | | -| | apigateway:GetClientCertificates | | -| | apigateway:GetDeployments | | -| | apigateway:GetDocumentationParts | | -| | apigateway:GetDocumentationVersions | | -| | apigateway:GetDomainNames | | -| | apigateway:GetGatewayResponses | | -| | apigateway:GetModels | | -| | apigateway:GetModelTemplate | | -| | apigateway:GetRequestValidators | | -| | apigateway:GetResources | | -| | apigateway:GetRestApis | | -| | apigateway:GetSdk | | -| | apigateway:GetSdkTypes | | -| | apigateway:GetStages | | -| | apigateway:GetTags | | -| | apigateway:GetUsagePlanKeys | | -| | apigateway:GetUsagePlans | | -| | apigateway:GetVpcLinks | | -| APIGATEWAYV2 | apigatewayv2:GetApis | * | -| | apigatewayv2:GetApiMappings | | -| | apigatewayv2:GetAuthorizers | | -| | apigatewayv2:GetDeployments | | -| | apigatewayv2:GetDomainNames | | -| | apigatewayv2:GetIntegrations | | -| | apigatewayv2:GetIntegrationResponses | | -| | apigatewayv2:GetModelTemplate | | -| | apigatewayv2:GetModels | | -| | apigatewayv2:GetRoute | | -| | apigatewayv2:GetRouteResponses | | -| | apigatewayv2:GetStages | | -| | apigatewayv2:GetVpcLinks | | -| GLACIER | glacier:ListTagsForVault | * | +| APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys/* | | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | diff --git a/main.tf b/main.tf index 0e8f6db..0ff9a94 100644 --- a/main.tf +++ b/main.tf @@ -93,52 +93,10 @@ data "aws_iam_policy_document" "lacework_audit_policy" { statement { sid = "APIGATEWAY" - actions = ["apigateway:GetApiKeys", - "apigateway:GetAuthorizers", - "apigateway:GetBasePathMappings", - "apigateway:GetClientCertificates", - "apigateway:GetDeployments", - "apigateway:GetDocumentationParts", - "apigateway:GetDocumentationVersions", - "apigateway:GetDomainNames", - "apigateway:GetGatewayResponses", - "apigateway:GetModels", - "apigateway:GetModelTemplate", - "apigateway:GetRequestValidators", - "apigateway:GetResources", - "apigateway:GetRestApis", - "apigateway:GetSdk", - "apigateway:GetSdkTypes", - "apigateway:GetStages", - "apigateway:GetTags", - "apigateway:GetUsagePlanKeys", - "apigateway:GetUsagePlans", - "apigateway:GetVpcLinks"] - resources = ["*"] + actions = ["apigateway:GET"] + resources = ["arn:aws:apigateway:*::/apikeys/*"] } - statement { - sid = "APIGATEWAYV2" - actions = ["apigatewayv2:GetApis", - "apigatewayv2:GetApiMappings", - "apigatewayv2:GetAuthorizers", - "apigatewayv2:GetDeployments", - "apigatewayv2:GetDomainNames", - "apigatewayv2:GetIntegrations", - "apigatewayv2:GetIntegrationResponses", - "apigatewayv2:GetModelTemplate", - "apigatewayv2:GetModels", - "apigatewayv2:GetRoute", - "apigatewayv2:GetRouteResponses", - "apigatewayv2:GetStages", - "apigatewayv2:GetVpcLinks"] - resources = ["*"] - } - statement { - sid = "GLACIER" - actions = ["glacier:ListTagsForVault"] - resources = ["*"] - } statement { sid = "WAFREGIONAL" actions = ["waf-regional:ListRules", From 0853e77b52d4caac3572c14c9da78bb929ced8b6 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 11:44:25 -0800 Subject: [PATCH 2/7] revert glacier --- README.md | 1 + main.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/README.md b/README.md index ae761f8..67ffe5b 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ The audit policy is comprised of the following permissions: | SSO | sso:DescribeAccountAssignmentDeletionStatus | * | | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | +| GLACIER | glacier:ListTagsForVault | * | | APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys/* | | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | diff --git a/main.tf b/main.tf index 0ff9a94..5fe1b35 100644 --- a/main.tf +++ b/main.tf @@ -97,6 +97,12 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["arn:aws:apigateway:*::/apikeys/*"] } + statement { + sid = "GLACIER" + actions = ["glacier:ListTagsForVault"] + resources = ["*"] + } + statement { sid = "WAFREGIONAL" actions = ["waf-regional:ListRules", From ae0ef88f67a1a4d104056e63d91237c6fddd6e27 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 12:04:44 -0800 Subject: [PATCH 3/7] changetoStarMatch --- README.md | 2 +- main.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 67ffe5b..8dd9fe1 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ The audit policy is comprised of the following permissions: | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | | GLACIER | glacier:ListTagsForVault | * | -| APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys/* | | +| APIGATEWAY | apigateway:GET |* | | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | diff --git a/main.tf b/main.tf index 5fe1b35..823d9fb 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { statement { sid = "APIGATEWAY" actions = ["apigateway:GET"] - resources = ["arn:aws:apigateway:*::/apikeys/*"] + resources = ["*"] } statement { @@ -102,7 +102,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { actions = ["glacier:ListTagsForVault"] resources = ["*"] } - + statement { sid = "WAFREGIONAL" actions = ["waf-regional:ListRules", From 6ea021d7dc0589039a18d11d1756645fb08b5f17 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 12:07:45 -0800 Subject: [PATCH 4/7] formatChange --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8dd9fe1..827c62c 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ The audit policy is comprised of the following permissions: | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | | GLACIER | glacier:ListTagsForVault | * | -| APIGATEWAY | apigateway:GET |* | | +| APIGATEWAY | apigateway:GET | * | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | From a4f583bd88b67dcbbcd37d41df4ab09bccbdbce1 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 13:19:20 -0800 Subject: [PATCH 5/7] one resource in apigateway --- README.md | 2 +- main.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 827c62c..9c0fe97 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ The audit policy is comprised of the following permissions: | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | | GLACIER | glacier:ListTagsForVault | * | -| APIGATEWAY | apigateway:GET | * | +| APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys/* | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | diff --git a/main.tf b/main.tf index 823d9fb..5fe1b35 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { statement { sid = "APIGATEWAY" actions = ["apigateway:GET"] - resources = ["*"] + resources = ["arn:aws:apigateway:*::/apikeys/*"] } statement { @@ -102,7 +102,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { actions = ["glacier:ListTagsForVault"] resources = ["*"] } - + statement { sid = "WAFREGIONAL" actions = ["waf-regional:ListRules", From bcdb9a2208cf27b97dfacdb8f22075a7f6fb6f29 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Wed, 13 Dec 2023 15:31:40 -0800 Subject: [PATCH 6/7] addApiKeys --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5fe1b35..c32fac8 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { statement { sid = "APIGATEWAY" actions = ["apigateway:GET"] - resources = ["arn:aws:apigateway:*::/apikeys/*"] + resources = ["arn:aws:apigateway:*::/apikeys", "arn:aws:apigateway:*::/apikeys/*"] } statement { From 4247bdc4ce48d756c50ee92e7554bb8bf97983b6 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Tue, 19 Dec 2023 18:57:49 -0800 Subject: [PATCH 7/7] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c0fe97..f36fae6 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ The audit policy is comprised of the following permissions: | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | | GLACIER | glacier:ListTagsForVault | * | -| APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys/* | +| APIGATEWAY | apigateway:GET | arn:aws:apigateway:*::/apikeys, arn:aws:apigateway:*::/apikeys/* | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | |