From 797b8762f40dfffd860166f197b33f8e0cd75b13 Mon Sep 17 00:00:00 2001 From: David Sibley Date: Mon, 18 Dec 2023 12:06:37 +0000 Subject: [PATCH 1/3] created first pass at a policy document for AWS Managed Microsoft AD administration --- .../bootstrap/delegate-access/policies.tf | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/terraform/environments/bootstrap/delegate-access/policies.tf b/terraform/environments/bootstrap/delegate-access/policies.tf index 9c2e8ff42..2254d57f1 100644 --- a/terraform/environments/bootstrap/delegate-access/policies.tf +++ b/terraform/environments/bootstrap/delegate-access/policies.tf @@ -799,3 +799,37 @@ data "aws_iam_policy_document" "reporting-operations" { resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 } } + +resource "aws_iam_policy" "directory-management-policy" { + provider = aws.workspace + name = "directory_management_policy" + path = "/" + policy = data.aws_iam_policy_document.directory-management-document.json +} + +data "aws_iam_policy_document" "directory-management-document" { + statement { + sid = "DirectoryManagementAllow" + effect = "Allow" + actions = [ + "ds:*", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:CreateSecurityGroup", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:CreateTags", + ] + } + statement { + sid = "DirectoryManagementDeny" + effect = "Deny" + actions = [ + "ds:CreateDirectory", + "ds:CreateMicrosoftAD", + "ds:DeleteDirectory" + ] + } +} \ No newline at end of file From 52a409e0b77d830cece592c3632a3589b595f0bd Mon Sep 17 00:00:00 2001 From: David Sibley Date: Mon, 18 Dec 2023 12:58:06 +0000 Subject: [PATCH 2/3] Added missing resources block to policy documents --- terraform/environments/bootstrap/delegate-access/policies.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/bootstrap/delegate-access/policies.tf b/terraform/environments/bootstrap/delegate-access/policies.tf index 2254d57f1..e30f147e0 100644 --- a/terraform/environments/bootstrap/delegate-access/policies.tf +++ b/terraform/environments/bootstrap/delegate-access/policies.tf @@ -822,6 +822,7 @@ data "aws_iam_policy_document" "directory-management-document" { "ec2:AuthorizeSecurityGroupEgress", "ec2:CreateTags", ] + resources = ["*"] } statement { sid = "DirectoryManagementDeny" @@ -831,5 +832,6 @@ data "aws_iam_policy_document" "directory-management-document" { "ds:CreateMicrosoftAD", "ds:DeleteDirectory" ] + resources = ["*"] } } \ No newline at end of file From dbbe05b4a042ded311da94cb920f8c40cb8e1bfd Mon Sep 17 00:00:00 2001 From: David Sibley Date: Mon, 18 Dec 2023 13:00:38 +0000 Subject: [PATCH 3/3] added consistent SCA policy ignores in line with existing documents --- .../bootstrap/delegate-access/policies.tf | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/terraform/environments/bootstrap/delegate-access/policies.tf b/terraform/environments/bootstrap/delegate-access/policies.tf index e30f147e0..1203084fb 100644 --- a/terraform/environments/bootstrap/delegate-access/policies.tf +++ b/terraform/environments/bootstrap/delegate-access/policies.tf @@ -807,7 +807,14 @@ resource "aws_iam_policy" "directory-management-policy" { policy = data.aws_iam_policy_document.directory-management-document.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "directory-management-document" { + #checkov:skip=CKV_AWS_107 + #checkov:skip=CKV_AWS_108 + #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_110 + #checkov:skip=CKV_AWS_111 + #checkov:skip=CKV_AWS_356 statement { sid = "DirectoryManagementAllow" effect = "Allow" @@ -822,7 +829,7 @@ data "aws_iam_policy_document" "directory-management-document" { "ec2:AuthorizeSecurityGroupEgress", "ec2:CreateTags", ] - resources = ["*"] + resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 } statement { sid = "DirectoryManagementDeny" @@ -832,6 +839,6 @@ data "aws_iam_policy_document" "directory-management-document" { "ds:CreateMicrosoftAD", "ds:DeleteDirectory" ] - resources = ["*"] + resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 } } \ No newline at end of file