upd: update policy minimal IAM permissions file for a number of policies

epam · Jun 21, 2024 · 333602e · 333602e
1 parent 008c472
commit 333602e
Show file tree

Hide file tree

Showing 72 changed files with 304 additions and 325 deletions.
diff --git a/iam/All-permissions_1.json b/iam/All-permissions_1.json
@@ -214,7 +214,6 @@
                 "states:DescribeStateMachine",
                 "states:ListStateMachine",
                 "tag:GetResources",
-                "tagging:GetResources",
                 "waf-regional:ListResourcesForWebACL",
                 "waf-regional:ListWebACLs",
                 "waf-regional:GetWebACL",

diff --git a/...aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json b/...aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [
-                "iam:ListMFADevices",
-                "iam:GetAccountPasswordPolicy",
+                "iam:GetCredentialReport",
                 "iam:ListUsers",
                 "iam:GetUser"
             ],

diff --git a/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json b/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json
@@ -6,7 +6,8 @@
             "Effect": "Allow",
             "Action": [
                 "iam:ListUsers",
-                "iam:GetUser"
+                "iam:GetUser",
+                "iam:GetCredentialReport"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json b/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json
@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy"

diff --git a/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json b/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBInstances",
-                "tag:GetResources"
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json b/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBInstances",
-                "tag:GetResources"
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json b/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json
@@ -8,7 +8,8 @@
                 "iam:ListAccountAliases",
                 "iam:ListMFADevices",
                 "iam:ListVirtualMFADevices",
-                "iam:GetCredentialReport"
+                "iam:GetCredentialReport",
+                "iam:GenerateCredentialReport"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json b/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json
@@ -6,7 +6,6 @@
             "Effect": "Allow",
             "Action": [
                 "iam:GenerateCredentialReport",
-                "iam:ListAccountAliases",
                 "iam:ListUsers",
                 "iam:GetUser",
                 "iam:GetCredentialReport"

diff --git a/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json b/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [
-                "tag:GetResources",
-                "rds:DescribeDBInstances"
+                "tag:GetResources"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json b/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json
@@ -4,7 +4,6 @@
         {
             "Effect": "Allow",
             "Action": [
-                "tag:GetResources",
                 "rds:DescribeDBInstances"
             ],
             "Resource": "*"

diff --git a/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json b/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json
@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json b/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json
@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

diff --git a/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json b/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json
@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

diff --git a/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json b/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json
@@ -1,14 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:DescribeTrails",
-                "cloudtrail:GetTrailStatus",
-                "iam:ListAccountAliases"
-            ],
-            "Resource": "*"   
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"tag:GetResources",
+				"cloudtrail:DescribeTrails"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json b/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json
@@ -1,15 +1,16 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "kms:DescribeKey",
-                "kms:ListKeys",
-                "kms:GetKeyRotationStatus",
-                "tagging:GetResources"
-            ],
-            "Resource": "*"   
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"kms:DescribeKey",
+				"kms:ListKeys",
+				"kms:GetKeyRotationStatus",
+				"tag:GetResources",
+				"kms:ListAliases"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json b/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json
@@ -1,14 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "es:ListDomainNames",
-                "es:DescribeElasticsearchDomains",
-                "es:ListTags"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json b/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json
@@ -1,14 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "es:ListDomainNames",
-                "es:DescribeElasticsearchDomains",
-                "es:ListTags"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json b/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json
@@ -12,11 +12,9 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
-                "s3:GetBucketPolicy",
-				"s3:GetEncryptionConfiguration"
+                "s3:GetBucketPolicy"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json b/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json
@@ -5,6 +5,7 @@
             "Effect": "Allow",
             "Action": [ 
                 "iam:ListUsers",
+                "iam:GetUser",
                 "iam:ListUserPolicies"
             ],
             "Resource": "*"

diff --git a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBClusters",
-                "tag:GetResources"
+                "rds:DescribeDBClusters"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json b/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json
@@ -4,7 +4,10 @@
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
-            "Action": "access-analyzer:ListAnalyzers",
+            "Action": [
+                "access-analyzer:ListAnalyzers",
+                "iam:ListAccountAliases"
+            ],
             "Resource": "*"
         }
     ]

diff --git a/...-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json b/...-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json
@@ -4,6 +4,8 @@
         {
             "Effect": "Allow",
             "Action": [ 
+                "iam:ListAccessKeys",
+                "iam:GetUser",
                 "iam:ListAccessKeys"
             ],
             "Resource": "*"

diff --git a/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json b/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json
@@ -12,12 +12,10 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",
-				"s3:GetBucketPublicAccessBlock",
-				"s3:GetEncryptionConfiguration"
+				"s3:GetBucketPublicAccessBlock"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json b/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json
@@ -12,11 +12,9 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
-                "s3:GetBucketPolicy",
-				"s3:GetEncryptionConfiguration"
+                "s3:GetBucketPolicy"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json b/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json
@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBClusters",
-                "tag:GetResources"
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf b/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf
@@ -7,8 +7,8 @@ resource "random_password" "this" {
 
 resource "aws_db_instance" "this" {
   engine              = "mysql"
-  engine_version      = "5.7"
-  instance_class      = "db.t2.micro"
+  engine_version      = "8.0.35"
+  instance_class      = "db.t3.micro"
   allocated_storage   = 10
   storage_type        = "gp2"
   db_name             = "database149red"

diff --git a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf
@@ -77,7 +77,9 @@ resource "aws_kms_key" "this" {
 
 resource "random_password" "this" {
   length           = 12
-  special          = true
-  numeric          = true
+  min_lower        = 1
+  min_numeric      = 1
+  min_special      = 1
+  min_upper        = 1
   override_special = "!#$%*()-_=+[]{}:?"
 }
diff --git a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json
@@ -1,12 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "es:DescribeElasticsearchDomain"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/...csearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json b/...csearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json
@@ -1,12 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "es:DescribeElasticsearchDomains"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }