Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add guardduty permissions and update trust policy for MemberInfrastructureAccess role #8567

Merged
merged 5 commits into from
Nov 22, 2024
Merged

add guardduty permissions and update trust policy for MemberInfrastructureAccess role #8567

merged 5 commits into from
Nov 22, 2024

Conversation

Khatraf
Copy link
Contributor

@Khatraf Khatraf commented Nov 22, 2024
edited
Loading

A reference to the issue / Description of it

#8050

How does this PR fix the problem?

This PR updates the MemberInfrastructureAccess IAM role to include:

  • Trust policy for `malware-protection-plan.guardduty.amazonaws.com.
  • Permissions to create and manage GuardDuty malware protection plans for S3.

The role already has permissions for:
EventBridge Management: Managing rules and targets specific to GuardDuty operations.
S3 Access: Accessing objects, managing bucket notifications, and handling validation objects for scanning. But also tagging so post-scan it will show if threat was found/not found.
KMS: for decryption

More detailed information can be found here: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-iam-policy-prerequisite.html

How has this been tested?

Please describe the tests that you ran and provide instructions to reproduce.

{Please write here}

Deployment Plan / Instructions

Will this deployment impact the platform and / or services on it?

{Please write here}

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@Khatraf Khatraf requested a review from a team as a code owner November 22, 2024 13:24
mikereiddigital
mikereiddigital previously approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@mikereiddigital mikereiddigital left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lg2m

ewastempel
ewastempel reviewed Nov 22, 2024
View reviewed changes
terraform/environments/bootstrap/member-bootstrap/iam.tf Outdated
@@ -234,6 +245,25 @@ data "aws_iam_policy_document" "member-access" {
]
}
}
statement {
Copy link
Contributor

@ewastempel ewastempel Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
statement {
statement {

ewastempel
ewastempel reviewed Nov 22, 2024
View reviewed changes
Copy link
Contributor

@ewastempel ewastempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like what we agreed on, there is just some funny indentation I suggested to change.

ewastempel
ewastempel approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@ewastempel ewastempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Khatraf Khatraf added this pull request to the merge queue Nov 22, 2024
Merged via the queue into main with commit 6c791c7 Nov 22, 2024
12 checks passed
@Khatraf Khatraf deleted the add/permissions-for-s3-malware-protection branch November 22, 2024 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewastempel ewastempel ewastempel approved these changes

@mikereiddigital mikereiddigital mikereiddigital left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Khatraf @mikereiddigital @ewastempel