skip: Merge remote-tracking branch 'origin/update_iam_per_policy' int…

…o feature/policy_testing_v2

iam/All-permissions_2.json

@@ -1,27 +1,71 @@
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": [
-				"batch:DescribeComputeEnvironments",
-				"cloudformation:ListStacks",
-				"cloudwatch:DescribeAlarmsForMetric",
-				"events:ListRules",
-				"events:ListTargetsByRule",
-				"guardduty:GetDetector",
-				"guardduty:GetMasterAccount",
-				"iam:ListVirtualMFADevices",
-				"iam:ListAttachedRolePolicies",
-				"kafka:ListClustersV2",
-				"lambda:GetFunctionConfiguration",
-				"wafv2:ListWebACLs",
-				"workspaces:DescribeWorkspaceImages",
-				"workspaces:DescribeWorkspaces",
-				"workspaces:DescribeWorkspacesConnectionStatus",
-				"xray:GetEncryptionConfig"
-			],
-			"Resource": "*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ListHostedZones",
+                "route53:ListQueryLoggingConfigs",
+                "route53:ListResourceRecordSets",
+                "route53:ListTagsForResources",
+                "route53domains:ListDomains",
+                "route53domains:ListTagsForDomain",
+                "s3:GetBucketAcl",
+                "s3:GetBucketLifecycle",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "s3:GetBucketNotification",
+                "s3:GetBucketObjectLockConfiguration",
+                "s3:GetBucketOwnershipControls",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketPublicAccessBlock",
+                "s3:GetBucketReplication",
+                "s3:GetBucketTagging",
+                "s3:GetBucketVersioning",
+                "s3:GetBucketWebsite",
+                "s3:GetEncryptionConfiguration",
+                "s3:GetLifecycleConfiguration",
+                "s3:GetObject",
+                "s3:GetReplicationConfiguration",
+                "s3:ListAllMyBuckets",
+                "s3:ListBucket",
+                "sagemaker:DescribeEndpointConfig",
+                "sagemaker:DescribeModel",
+                "sagemaker:DescribeNotebookInstance",
+                "sagemaker:ListEndpointConfigs",
+                "sagemaker:ListModels",
+                "sagemaker:ListNotebookInstances",
+                "sagemaker:ListTags",
+                "secretsmanager:DescribeSecret",
+                "secretsmanager:ListSecrets",
+                "securityhub:DescribeHub",
+                "sns:GetTopicAttributes",
+                "sns:ListTagsForResource",
+                "sns:ListTopics",
+                "sqs:GetQueueAttributes",
+                "sqs:ListQueues",
+                "ssm:DescribeInstanceInformation",
+                "ssm:ListResourceComplianceSummaries",
+                "states:DescribeStateMachine",
+                "states:ListStateMachine",
+                "tag:GetResources",
+                "waf-regional:GetWebACL",
+                "waf-regional:ListResourcesForWebACL",
+                "waf-regional:ListWebACLs",
+                "waf:GetRule",
+                "waf:GetWebACL",
+                "waf:ListActivatedRulesInRuleGroup",
+                "waf:ListRuleGroups",
+                "waf:ListRules",
+                "waf:ListWebACLs",
+                "wafv2:ListWebACLs",
+                "workspaces:DescribeWorkspaceDirectories",
+                "workspaces:DescribeWorkspaceImages",
+                "workspaces:DescribeWorkspaces",
+                "workspaces:DescribeWorkspacesConnectionStatus",
+                "xray:GetEncryptionConfig"
+            ],
+            "Resource": "*"
+        }
+    ]
 }

terraform/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json

@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [
-                "iam:ListMFADevices",
-                "iam:GetAccountPasswordPolicy",
+                "iam:GetCredentialReport",
                 "iam:ListUsers",
                 "iam:GetUser"
             ],

terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json

@@ -6,7 +6,8 @@
             "Effect": "Allow",
             "Action": [
                 "iam:ListUsers",
-                "iam:GetUser"
+                "iam:GetUser",
+                "iam:GetCredentialReport"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json

@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy"

terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json

@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBInstances",
-                "tag:GetResources"
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json

@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBInstances",
-                "tag:GetResources"
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json

@@ -8,7 +8,8 @@
                 "iam:ListAccountAliases",
                 "iam:ListMFADevices",
                 "iam:ListVirtualMFADevices",
-                "iam:GetCredentialReport"
+                "iam:GetCredentialReport",
+                "iam:GenerateCredentialReport"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json

@@ -6,7 +6,6 @@
             "Effect": "Allow",
             "Action": [
                 "iam:GenerateCredentialReport",
-                "iam:ListAccountAliases",
                 "iam:ListUsers",
                 "iam:GetUser",
                 "iam:GetCredentialReport"

terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json

@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [
-                "tag:GetResources",
-                "rds:DescribeDBInstances"
+                "tag:GetResources"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json

@@ -4,7 +4,6 @@
         {
             "Effect": "Allow",
             "Action": [
-                "tag:GetResources",
                 "rds:DescribeDBInstances"
             ],
             "Resource": "*"

terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json

@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json

@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json

@@ -12,7 +12,6 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",

terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json

@@ -1,14 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:DescribeTrails",
-                "cloudtrail:GetTrailStatus",
-                "iam:ListAccountAliases"
-            ],
-            "Resource": "*"   
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"tag:GetResources",
+				"cloudtrail:DescribeTrails"
+			],
+			"Resource": "*"
+		}
+	]
 }

terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json

@@ -1,15 +1,16 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "kms:DescribeKey",
-                "kms:ListKeys",
-                "kms:GetKeyRotationStatus",
-                "tag:GetResources"
-            ],
-            "Resource": "*"   
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"kms:DescribeKey",
+				"kms:ListKeys",
+				"kms:GetKeyRotationStatus",
+				"tag:GetResources",
+				"kms:ListAliases"
+			],
+			"Resource": "*"
+		}
+	]
 }

terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json

@@ -1,14 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "es:ListDomainNames",
-                "es:DescribeElasticsearchDomains",
-                "es:ListTags"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }

terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json

@@ -1,14 +1,14 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "es:ListDomainNames",
-                "es:DescribeElasticsearchDomains",
-                "es:ListTags"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"es:DescribeDomains",
+				"es:ListDomainNames",
+				"es:ListTags"
+			],
+			"Resource": "*"
+		}
+	]
 }

terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json

@@ -12,11 +12,9 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
-                "s3:GetBucketPolicy",
-				"s3:GetEncryptionConfiguration"
+                "s3:GetBucketPolicy"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json

@@ -5,6 +5,7 @@
             "Effect": "Allow",
             "Action": [ 
                 "iam:ListUsers",
+                "iam:GetUser",
                 "iam:ListUserPolicies"
             ],
             "Resource": "*"

terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json

@@ -4,8 +4,7 @@
         {
             "Effect": "Allow",
             "Action": [ 
-                "rds:DescribeDBClusters",
-                "tag:GetResources"
+                "rds:DescribeDBClusters"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json

@@ -4,7 +4,10 @@
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
-            "Action": "access-analyzer:ListAnalyzers",
+            "Action": [
+                "access-analyzer:ListAnalyzers",
+                "iam:ListAccountAliases"
+            ],
             "Resource": "*"
         }
     ]

terraform/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json

@@ -4,6 +4,8 @@
         {
             "Effect": "Allow",
             "Action": [ 
+                "iam:ListAccessKeys",
+                "iam:GetUser",
                 "iam:ListAccessKeys"
             ],
             "Resource": "*"

terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json

@@ -12,12 +12,10 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetBucketPolicy",
-				"s3:GetBucketPublicAccessBlock",
-				"s3:GetEncryptionConfiguration"
+				"s3:GetBucketPublicAccessBlock"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json

@@ -12,11 +12,9 @@
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetBucketVersioning",
-                "s3:GetBucketLifecycle",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
-                "s3:GetBucketPolicy",
-				"s3:GetEncryptionConfiguration"
+                "s3:GetBucketPolicy"
             ],
             "Resource": "*"
         }