From 25dcce2f65e839a5871e622881aec0e53214136b Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Fri, 21 Jun 2024 21:21:47 +0300 Subject: [PATCH 1/3] upd: update policy minimal IAM permissions file for a number of policies --- iam/All-permissions_1.json | 1 - .../iam/001-policy.json | 4 +-- .../iam/002-policy.json | 4 ++- .../iam/004-policy.json | 1 - .../iam/006-policy.json | 3 +- .../iam/007-policy.json | 3 +- .../iam/016-policy.json | 3 +- .../iam/017-policy.json | 1 - .../iam/026-policy.json | 1 - .../iam/041-policy.json | 1 - .../iam/042-policy.json | 1 - .../iam/043-policy.json | 1 - .../iam/044-policy.json | 1 - .../iam/060-policy.json | 23 +++++++------ .../iam/061-policy.json | 27 ++++++++-------- .../iam/070-policy.json | 32 ++++++++++++------- .../iam/074-policy.json | 24 +++++++------- .../iam/075-policy.json | 24 +++++++------- .../iam/088-policy.json | 4 +-- .../iam/113-policy.json | 1 + .../iam/127-policy.json | 3 +- .../iam/139-policy.json | 5 ++- .../iam/140-policy.json | 2 ++ .../iam/142-policy.json | 4 +-- .../iam/148-policy.json | 4 +-- .../iam/149-policy.json | 3 +- .../red/rds.tf | 4 +-- .../green/es.tf | 6 ++-- .../iam/153-policy.json | 22 +++++++------ .../iam/155-policy.json | 22 +++++++------ .../iam/156-policy.json | 28 +++++++--------- .../iam/158-policy.json | 3 +- .../iam/159-policy.json | 4 +-- .../iam/160-policy.json | 4 +-- .../iam/161-policy.json | 4 +-- .../iam/162-policy.json | 4 +-- .../iam/175-policy.json | 3 +- .../iam/197-policy.json | 26 +++++++-------- .../iam/198-policy.json | 25 +++++++-------- .../iam/201-policy.json | 3 +- .../iam/221-policy.json | 4 +-- .../iam/258-policy.json | 26 +++++++-------- .../iam/268-policy.json | 5 ++- .../iam/277-policy.json | 27 ++++++++-------- .../iam/280-policy.json | 2 +- .../iam/282-policy.json | 26 +++++++-------- .../iam/283-policy.json | 26 +++++++-------- .../iam/296-policy.json | 3 +- .../iam/329-policy.json | 3 +- .../iam/345-policy.json | 3 +- .../iam/347-policy.json | 2 +- .../iam/348-policy.json | 2 +- .../iam/350-policy.json | 2 +- .../iam/352-policy.json | 4 +-- .../iam/392-policy.json | 22 ++++++------- .../iam/410-policy.json | 26 +++++++-------- .../iam/417-policy.json | 2 +- .../iam/420-policy.json | 2 +- .../iam/428-policy.json | 3 +- .../iam/431-policy.json | 1 - .../iam/456-policy.json | 25 ++++++++------- .../iam/463-policy.json | 4 +-- .../iam/479-policy.json | 5 ++- .../iam/501-policy.json | 25 +++++++-------- .../iam/502-policy.json | 3 +- .../iam/504-policy.json | 3 +- .../iam/507-policy.json | 3 +- .../iam/518-policy.json | 4 +-- .../iam/547-policy.json | 3 +- .../iam/566-policy.json | 25 +++++++-------- .../iam/586-policy.json | 27 ++++++++-------- .../iam/590-policy.json | 3 +- .../iam/591-policy.json | 2 +- .../iam/592-policy.json | 2 +- .../iam/593-policy.json | 2 +- .../iam/630-policy.json | 1 + 76 files changed, 328 insertions(+), 339 deletions(-) diff --git a/iam/All-permissions_1.json b/iam/All-permissions_1.json index 85ce18d7e..013516352 100644 --- a/iam/All-permissions_1.json +++ b/iam/All-permissions_1.json @@ -214,7 +214,6 @@ "states:DescribeStateMachine", "states:ListStateMachine", "tag:GetResources", - "tagging:GetResources", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", "waf-regional:GetWebACL", diff --git a/terraform/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json b/terraform/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json index 28f192367..7007f3770 100644 --- a/terraform/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json +++ b/terraform/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password/iam/001-policy.json @@ -4,8 +4,8 @@ { "Effect": "Allow", "Action": [ - "iam:ListMFADevices", - "iam:GetAccountPasswordPolicy", + "iam:GetCredentialReport", + "iam:GenerateCredentialReport", "iam:ListUsers", "iam:GetUser" ], diff --git a/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json b/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json index 483269877..d8b8ce67a 100644 --- a/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json +++ b/terraform/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days/iam/002-policy.json @@ -6,7 +6,9 @@ "Effect": "Allow", "Action": [ "iam:ListUsers", - "iam:GetUser" + "iam:GetUser", + "iam:GenerateCredentialReport", + "iam:GetCredentialReport" ], "Resource": "*" } diff --git a/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json b/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json index 8a94428b5..34114c700 100644 --- a/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json +++ b/terraform/ecc-aws-004-bucket_policy_allows_https_requests/iam/004-policy.json @@ -12,7 +12,6 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:GetBucketPolicy" diff --git a/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json b/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json index 545a39a4f..021fa87cd 100644 --- a/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json +++ b/terraform/ecc-aws-006-rds_retention_backup_is_at_least_7_days/iam/006-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json b/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json index 545a39a4f..021fa87cd 100644 --- a/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json +++ b/terraform/ecc-aws-007-rds_high-availability_zone/iam/007-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json b/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json index 7ffcd0ad4..655f966b7 100644 --- a/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json +++ b/terraform/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account/iam/016-policy.json @@ -8,7 +8,8 @@ "iam:ListAccountAliases", "iam:ListMFADevices", "iam:ListVirtualMFADevices", - "iam:GetCredentialReport" + "iam:GetCredentialReport", + "iam:GenerateCredentialReport" ], "Resource": "*" } diff --git a/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json b/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json index 71bd94ad6..529bbe134 100644 --- a/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json +++ b/terraform/ecc-aws-017-credentials_unused_for_45_days/iam/017-policy.json @@ -6,7 +6,6 @@ "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", - "iam:ListAccountAliases", "iam:ListUsers", "iam:GetUser", "iam:GetCredentialReport" diff --git a/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json b/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json index cfe8bef85..ef9966e49 100644 --- a/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json +++ b/terraform/ecc-aws-026-rds_instance_with_no_backups/iam/026-policy.json @@ -4,7 +4,6 @@ { "Effect": "Allow", "Action": [ - "tag:GetResources", "rds:DescribeDBInstances" ], "Resource": "*" diff --git a/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json b/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json index cfe8bef85..ef9966e49 100644 --- a/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json +++ b/terraform/ecc-aws-041-rds_without_tag_information/iam/041-policy.json @@ -4,7 +4,6 @@ { "Effect": "Allow", "Action": [ - "tag:GetResources", "rds:DescribeDBInstances" ], "Resource": "*" diff --git a/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json b/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json index 53a7390fd..6e5103c73 100644 --- a/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json +++ b/terraform/ecc-aws-042-s3_encrypted_using_kms/iam/042-policy.json @@ -12,7 +12,6 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:GetBucketPolicy", diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json b/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json index 53a7390fd..6e5103c73 100644 --- a/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json +++ b/terraform/ecc-aws-043-s3_bucket_lifecycle/iam/043-policy.json @@ -12,7 +12,6 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:GetBucketPolicy", diff --git a/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json b/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json index 53a7390fd..6e5103c73 100644 --- a/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json +++ b/terraform/ecc-aws-044-s3_buckets_without_tags/iam/044-policy.json @@ -12,7 +12,6 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:GetBucketPolicy", diff --git a/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json b/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json index 64bcbbaf6..d1f5e01d2 100644 --- a/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json +++ b/terraform/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs/iam/060-policy.json @@ -1,14 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudtrail:DescribeTrails", - "cloudtrail:GetTrailStatus", - "iam:ListAccountAliases" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "tag:GetResources", + "cloudtrail:DescribeTrails" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json b/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json index 95cf41c13..30cd04678 100644 --- a/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json +++ b/terraform/ecc-aws-061-kms_key_rotation_is_enabled/iam/061-policy.json @@ -1,15 +1,16 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:DescribeKey", - "kms:ListKeys", - "kms:GetKeyRotationStatus", - "tagging:GetResources" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:DescribeKey", + "kms:ListKeys", + "kms:GetKeyRotationStatus", + "tag:GetResources", + "kms:ListAliases" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-070-unused_ec2_security_groups/iam/070-policy.json b/terraform/ecc-aws-070-unused_ec2_security_groups/iam/070-policy.json index efdc5e8ae..146559cc8 100644 --- a/terraform/ecc-aws-070-unused_ec2_security_groups/iam/070-policy.json +++ b/terraform/ecc-aws-070-unused_ec2_security_groups/iam/070-policy.json @@ -1,13 +1,21 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeRegions" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroupReferences", + "ec2:DescribeRegions", + "events:ListTargetsByRule", + "ec2:DescribeSecurityGroups", + "ec2:DescribeNetworkInterfaces", + "lambda:ListFunctions", + "autoscaling:DescribeLaunchConfigurations", + "events:ListRules", + "codebuild:ListProjects", + "batch:DescribeComputeEnvironments" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json b/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json index 47ef085e9..fc65b5900 100644 --- a/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json +++ b/terraform/ecc-aws-074-elasticsearch_service_domains_in_vpc/iam/074-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } diff --git a/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json b/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json index 47ef085e9..fc65b5900 100644 --- a/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json +++ b/terraform/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest/iam/075-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } diff --git a/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json b/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json index 53a7390fd..34114c700 100644 --- a/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json +++ b/terraform/ecc-aws-088-s3_bucket_cross_region_replication_enabled/iam/088-policy.json @@ -12,11 +12,9 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", - "s3:GetBucketPolicy", - "s3:GetEncryptionConfiguration" + "s3:GetBucketPolicy" ], "Resource": "*" } diff --git a/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json b/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json index 10f5eb310..b00096304 100644 --- a/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json +++ b/terraform/ecc-aws-113-managed_policies_instead_of_inline_iam_policies/iam/113-policy.json @@ -5,6 +5,7 @@ "Effect": "Allow", "Action": [ "iam:ListUsers", + "iam:GetUser", "iam:ListUserPolicies" ], "Resource": "*" diff --git a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json index bce523589..300f942c4 100644 --- a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json +++ b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/iam/127-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBClusters", - "tag:GetResources" + "rds:DescribeDBClusters" ], "Resource": "*" } diff --git a/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json b/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json index c4d401bdc..92d45be82 100644 --- a/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json +++ b/terraform/ecc-aws-139-iam_access_analyzer_is_enabled/iam/139-policy.json @@ -4,7 +4,10 @@ { "Sid": "VisualEditor0", "Effect": "Allow", - "Action": "access-analyzer:ListAnalyzers", + "Action": [ + "access-analyzer:ListAnalyzers", + "iam:ListAccountAliases" + ], "Resource": "*" } ] diff --git a/terraform/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json b/terraform/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json index 44e100227..5d9c56d6c 100644 --- a/terraform/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json +++ b/terraform/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user/iam/140-policy.json @@ -4,6 +4,8 @@ { "Effect": "Allow", "Action": [ + "iam:ListAccessKeys", + "iam:GetUser", "iam:ListAccessKeys" ], "Resource": "*" diff --git a/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json b/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json index 3956f7127..b3c5f57c9 100644 --- a/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json +++ b/terraform/ecc-aws-142-s3_buckets_configured_with_block_public_access/iam/142-policy.json @@ -12,12 +12,10 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:GetBucketPolicy", - "s3:GetBucketPublicAccessBlock", - "s3:GetEncryptionConfiguration" + "s3:GetBucketPublicAccessBlock" ], "Resource": "*" } diff --git a/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json b/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json index 53a7390fd..34114c700 100644 --- a/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json +++ b/terraform/ecc-aws-148-logging_for_s3_enabled/iam/148-policy.json @@ -12,11 +12,9 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", - "s3:GetBucketPolicy", - "s3:GetEncryptionConfiguration" + "s3:GetBucketPolicy" ], "Resource": "*" } diff --git a/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json b/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json index 1b7ed2d73..021fa87cd 100644 --- a/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json +++ b/terraform/ecc-aws-149-rds_public_access_disabled/iam/149-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBClusters", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf b/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf index a367758a9..a3af7d2d4 100644 --- a/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf +++ b/terraform/ecc-aws-149-rds_public_access_disabled/red/rds.tf @@ -7,8 +7,8 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { engine = "mysql" - engine_version = "5.7" - instance_class = "db.t2.micro" + engine_version = "8.0.35" + instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" db_name = "database149red" diff --git a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf index d8cb8aa93..a967f0ca7 100644 --- a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf +++ b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/green/es.tf @@ -77,7 +77,9 @@ resource "aws_kms_key" "this" { resource "random_password" "this" { length = 12 - special = true - numeric = true + min_lower = 1 + min_numeric = 1 + min_special = 1 + min_upper = 1 override_special = "!#$%*()-_=+[]{}:?" } \ No newline at end of file diff --git a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json index 3545a0256..6fb06d1d8 100644 --- a/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json +++ b/terraform/ecc-aws-153-elasticsearch_domains_audit_logging_enabled/iam/153-policy.json @@ -1,12 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:DescribeElasticsearchDomain" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json b/terraform/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json index a8a5d5442..6fb06d1d8 100644 --- a/terraform/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json +++ b/terraform/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes/iam/155-policy.json @@ -1,12 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:DescribeElasticsearchDomains" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2/iam/156-policy.json b/terraform/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2/iam/156-policy.json index 7804bf99f..6fb06d1d8 100644 --- a/terraform/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2/iam/156-policy.json +++ b/terraform/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2/iam/156-policy.json @@ -1,18 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomain", - "es:DescribeElasticsearchDomainConfig", - "es:DescribeElasticsearchDomains", - "es:DescribeInboundConnections", - "es:ESHttpGet" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots/iam/158-policy.json b/terraform/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots/iam/158-policy.json index cebe8bff4..b4c6bd8ec 100644 --- a/terraform/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots/iam/158-policy.json +++ b/terraform/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots/iam/158-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-159-rds_critical_cluster_events_notification_exists/iam/159-policy.json b/terraform/ecc-aws-159-rds_critical_cluster_events_notification_exists/iam/159-policy.json index be2e6360d..7f0a0c2a9 100644 --- a/terraform/ecc-aws-159-rds_critical_cluster_events_notification_exists/iam/159-policy.json +++ b/terraform/ecc-aws-159-rds_critical_cluster_events_notification_exists/iam/159-policy.json @@ -7,8 +7,8 @@ "rds:DescribeEventSubscriptions", "iam:ListAccountAliases", "rds:DescribeDBInstances", - "SNS:ListTopics", - "SNS:GetTopicAttributes" + "sns:ListTopics", + "sns:GetTopicAttributes" ], "Resource": "*" } diff --git a/terraform/ecc-aws-160-rds_database_instance_events_notification_exists/iam/160-policy.json b/terraform/ecc-aws-160-rds_database_instance_events_notification_exists/iam/160-policy.json index 68cf55958..8fa6d8af7 100644 --- a/terraform/ecc-aws-160-rds_database_instance_events_notification_exists/iam/160-policy.json +++ b/terraform/ecc-aws-160-rds_database_instance_events_notification_exists/iam/160-policy.json @@ -7,8 +7,8 @@ "iam:ListAccountAliases", "rds:DescribeEventSubscriptions", "rds:DescribeDBInstances", - "SNS:ListTopics", - "SNS:GetTopicAttributes" + "sns:ListTopics", + "sns:GetTopicAttributes" ], "Resource": "*" } diff --git a/terraform/ecc-aws-161-rds_database_parameter_group_events_notification_exists/iam/161-policy.json b/terraform/ecc-aws-161-rds_database_parameter_group_events_notification_exists/iam/161-policy.json index 68cf55958..8fa6d8af7 100644 --- a/terraform/ecc-aws-161-rds_database_parameter_group_events_notification_exists/iam/161-policy.json +++ b/terraform/ecc-aws-161-rds_database_parameter_group_events_notification_exists/iam/161-policy.json @@ -7,8 +7,8 @@ "iam:ListAccountAliases", "rds:DescribeEventSubscriptions", "rds:DescribeDBInstances", - "SNS:ListTopics", - "SNS:GetTopicAttributes" + "sns:ListTopics", + "sns:GetTopicAttributes" ], "Resource": "*" } diff --git a/terraform/ecc-aws-162-rds_database_security_group_events_notification_exists/iam/162-policy.json b/terraform/ecc-aws-162-rds_database_security_group_events_notification_exists/iam/162-policy.json index 68cf55958..8fa6d8af7 100644 --- a/terraform/ecc-aws-162-rds_database_security_group_events_notification_exists/iam/162-policy.json +++ b/terraform/ecc-aws-162-rds_database_security_group_events_notification_exists/iam/162-policy.json @@ -7,8 +7,8 @@ "iam:ListAccountAliases", "rds:DescribeEventSubscriptions", "rds:DescribeDBInstances", - "SNS:ListTopics", - "SNS:GetTopicAttributes" + "sns:ListTopics", + "sns:GetTopicAttributes" ], "Resource": "*" } diff --git a/terraform/ecc-aws-175-rds_instances_storage_is_encrypted/iam/175-policy.json b/terraform/ecc-aws-175-rds_instances_storage_is_encrypted/iam/175-policy.json index 805b5cf76..e915b6bbc 100644 --- a/terraform/ecc-aws-175-rds_instances_storage_is_encrypted/iam/175-policy.json +++ b/terraform/ecc-aws-175-rds_instances_storage_is_encrypted/iam/175-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled/iam/197-policy.json b/terraform/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled/iam/197-policy.json index 7767fa7e3..6fb06d1d8 100644 --- a/terraform/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled/iam/197-policy.json +++ b/terraform/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled/iam/197-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:DescribeDomains", - "es:DescribeElasticsearchDomains" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled/iam/198-policy.json b/terraform/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled/iam/198-policy.json index 45f226fe6..b1c938fb5 100644 --- a/terraform/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled/iam/198-policy.json +++ b/terraform/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled/iam/198-policy.json @@ -1,15 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:DescribeDomains", - "es:DescribeElasticsearchDomains", + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", "es:ListTags" - ], - "Resource": "*" - } - ] -} + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-201-rds_instance_deletion_protection_enabled/iam/201-policy.json b/terraform/ecc-aws-201-rds_instance_deletion_protection_enabled/iam/201-policy.json index 545a39a4f..021fa87cd 100644 --- a/terraform/ecc-aws-201-rds_instance_deletion_protection_enabled/iam/201-policy.json +++ b/terraform/ecc-aws-201-rds_instance_deletion_protection_enabled/iam/201-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-221-sns_kms_encryption_enabled/iam/221-policy.json b/terraform/ecc-aws-221-sns_kms_encryption_enabled/iam/221-policy.json index f367906a3..b9efd395d 100644 --- a/terraform/ecc-aws-221-sns_kms_encryption_enabled/iam/221-policy.json +++ b/terraform/ecc-aws-221-sns_kms_encryption_enabled/iam/221-policy.json @@ -5,8 +5,8 @@ "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", - "sns:ListTagsForResource", - "sns:ListTopics" + "sns:ListTopics", + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled/iam/258-policy.json b/terraform/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled/iam/258-policy.json index 289b5dedb..0a53382ee 100644 --- a/terraform/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled/iam/258-policy.json +++ b/terraform/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled/iam/258-policy.json @@ -1,15 +1,15 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "elasticmapreduce:DescribeSecurityConfiguration", - "elasticmapreduce:ListClusters", - "elasticmapreduce:DescribeCluster", - "elasticmapreduce:ListSecurityConfigurations" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticmapreduce:ListClusters", + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:ListSecurityConfigurations", + "elasticmapreduce:DescribeSecurityConfiguration" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk/iam/268-policy.json b/terraform/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk/iam/268-policy.json index 0a03e55fb..25b838f51 100644 --- a/terraform/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk/iam/268-policy.json +++ b/terraform/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk/iam/268-policy.json @@ -3,7 +3,10 @@ "Statement": [ { "Effect": "Allow", - "Action": "elasticache:DescribeReplicationGroups", + "Action": [ + "elasticache:DescribeReplicationGroups", + "tag:GetResources" + ], "Resource": "*" } ] diff --git a/terraform/ecc-aws-277-elasticsearch_slow_logs_enabled/iam/277-policy.json b/terraform/ecc-aws-277-elasticsearch_slow_logs_enabled/iam/277-policy.json index cfa3cc4e1..fc65b5900 100644 --- a/terraform/ecc-aws-277-elasticsearch_slow_logs_enabled/iam/277-policy.json +++ b/terraform/ecc-aws-277-elasticsearch_slow_logs_enabled/iam/277-policy.json @@ -1,15 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:DescribeElasticsearchDomains", - "es:ListDomainNames", - "es:DescribeDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] -} \ No newline at end of file + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk/iam/280-policy.json b/terraform/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk/iam/280-policy.json index b99131c3f..bcd46081b 100644 --- a/terraform/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk/iam/280-policy.json +++ b/terraform/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk/iam/280-policy.json @@ -4,8 +4,8 @@ { "Effect": "Allow", "Action": [ + "es:DescribeDomains", "es:ListDomainNames", - "es:DescribeElasticsearchDomains", "es:ListTags", "kms:DescribeKey", "kms:ListAliases", diff --git a/terraform/ecc-aws-282-elasticsearch_enforces_https/iam/282-policy.json b/terraform/ecc-aws-282-elasticsearch_enforces_https/iam/282-policy.json index e7e730411..6fb06d1d8 100644 --- a/terraform/ecc-aws-282-elasticsearch_enforces_https/iam/282-policy.json +++ b/terraform/ecc-aws-282-elasticsearch_enforces_https/iam/282-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-283-elasticsearch_latest_version/iam/283-policy.json b/terraform/ecc-aws-283-elasticsearch_latest_version/iam/283-policy.json index e7e730411..6fb06d1d8 100644 --- a/terraform/ecc-aws-283-elasticsearch_latest_version/iam/283-policy.json +++ b/terraform/ecc-aws-283-elasticsearch_latest_version/iam/283-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-296-rds_mysql_instances_latest_major_version/iam/296-policy.json b/terraform/ecc-aws-296-rds_mysql_instances_latest_major_version/iam/296-policy.json index e77dc54dc..f3b867fd3 100644 --- a/terraform/ecc-aws-296-rds_mysql_instances_latest_major_version/iam/296-policy.json +++ b/terraform/ecc-aws-296-rds_mysql_instances_latest_major_version/iam/296-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-329-unused_ec2_access_keys/iam/329-policy.json b/terraform/ecc-aws-329-unused_ec2_access_keys/iam/329-policy.json index 805ccb1cd..3da738bd5 100644 --- a/terraform/ecc-aws-329-unused_ec2_access_keys/iam/329-policy.json +++ b/terraform/ecc-aws-329-unused_ec2_access_keys/iam/329-policy.json @@ -6,7 +6,8 @@ "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", - "ec2:DescribeInstances" + "ec2:DescribeInstances", + "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" } diff --git a/terraform/ecc-aws-345-mq_broker_open_to_all_ports_protocols/iam/345-policy.json b/terraform/ecc-aws-345-mq_broker_open_to_all_ports_protocols/iam/345-policy.json index 76c2595f7..11959dbc0 100644 --- a/terraform/ecc-aws-345-mq_broker_open_to_all_ports_protocols/iam/345-policy.json +++ b/terraform/ecc-aws-345-mq_broker_open_to_all_ports_protocols/iam/345-policy.json @@ -6,7 +6,8 @@ "Effect": "Allow", "Action": [ "mq:DescribeBroker", - "mq:ListBrokers" + "mq:ListBrokers", + "ec2:DescribeSecurityGroups" ], "Resource": "*" } diff --git a/terraform/ecc-aws-347-msk_data_encrypted_with_kms_cmk/iam/347-policy.json b/terraform/ecc-aws-347-msk_data_encrypted_with_kms_cmk/iam/347-policy.json index e013a0c5f..c8f2cf239 100644 --- a/terraform/ecc-aws-347-msk_data_encrypted_with_kms_cmk/iam/347-policy.json +++ b/terraform/ecc-aws-347-msk_data_encrypted_with_kms_cmk/iam/347-policy.json @@ -4,7 +4,7 @@ { "Effect": "Allow", "Action": [ - "kafka:ListClusters", + "kafka:ListClustersV2", "kms:DescribeKey", "kms:ListAliases", "tag:GetResources" diff --git a/terraform/ecc-aws-348-msk_encryption_in_transit_enabled/iam/348-policy.json b/terraform/ecc-aws-348-msk_encryption_in_transit_enabled/iam/348-policy.json index 4a6094d7c..1b65abbbc 100644 --- a/terraform/ecc-aws-348-msk_encryption_in_transit_enabled/iam/348-policy.json +++ b/terraform/ecc-aws-348-msk_encryption_in_transit_enabled/iam/348-policy.json @@ -4,7 +4,7 @@ { "Effect": "Allow", "Action": [ - "kafka:ListClusters" + "kafka:ListClustersV2" ], "Resource": "*" } diff --git a/terraform/ecc-aws-350-msk_logging_enabled/iam/350-policy.json b/terraform/ecc-aws-350-msk_logging_enabled/iam/350-policy.json index 4a6094d7c..1b65abbbc 100644 --- a/terraform/ecc-aws-350-msk_logging_enabled/iam/350-policy.json +++ b/terraform/ecc-aws-350-msk_logging_enabled/iam/350-policy.json @@ -4,7 +4,7 @@ { "Effect": "Allow", "Action": [ - "kafka:ListClusters" + "kafka:ListClustersV2" ], "Resource": "*" } diff --git a/terraform/ecc-aws-352-sns_encrypted_with_kms_cmk/iam/352-policy.json b/terraform/ecc-aws-352-sns_encrypted_with_kms_cmk/iam/352-policy.json index 04e7bc31f..dd619483c 100644 --- a/terraform/ecc-aws-352-sns_encrypted_with_kms_cmk/iam/352-policy.json +++ b/terraform/ecc-aws-352-sns_encrypted_with_kms_cmk/iam/352-policy.json @@ -5,10 +5,10 @@ "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", - "sns:ListTagsForResource", "sns:ListTopics", "kms:DescribeKey", - "kms:listAliases" + "kms:listAliases", + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-392-vpc_endpoint_without_tag_information/iam/392-policy.json b/terraform/ecc-aws-392-vpc_endpoint_without_tag_information/iam/392-policy.json index 541d6506b..e81b6643e 100644 --- a/terraform/ecc-aws-392-vpc_endpoint_without_tag_information/iam/392-policy.json +++ b/terraform/ecc-aws-392-vpc_endpoint_without_tag_information/iam/392-policy.json @@ -1,13 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ec2:DescribeVpcEndpointServiceConfigurations" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcEndpoints" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-410-elasticsearch_without_tag_information/iam/410-policy.json b/terraform/ecc-aws-410-elasticsearch_without_tag_information/iam/410-policy.json index e7e730411..6fb06d1d8 100644 --- a/terraform/ecc-aws-410-elasticsearch_without_tag_information/iam/410-policy.json +++ b/terraform/ecc-aws-410-elasticsearch_without_tag_information/iam/410-policy.json @@ -1,14 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "es:ListDomainNames", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-417-msk_clusters_without_tag_information/iam/417-policy.json b/terraform/ecc-aws-417-msk_clusters_without_tag_information/iam/417-policy.json index 4a6094d7c..1b65abbbc 100644 --- a/terraform/ecc-aws-417-msk_clusters_without_tag_information/iam/417-policy.json +++ b/terraform/ecc-aws-417-msk_clusters_without_tag_information/iam/417-policy.json @@ -4,7 +4,7 @@ { "Effect": "Allow", "Action": [ - "kafka:ListClusters" + "kafka:ListClustersV2" ], "Resource": "*" } diff --git a/terraform/ecc-aws-420-kms_key_without_tag_information/iam/420-policy.json b/terraform/ecc-aws-420-kms_key_without_tag_information/iam/420-policy.json index 6120bfb28..302d87981 100644 --- a/terraform/ecc-aws-420-kms_key_without_tag_information/iam/420-policy.json +++ b/terraform/ecc-aws-420-kms_key_without_tag_information/iam/420-policy.json @@ -7,7 +7,7 @@ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys", - "tagging:GetResources" + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-428-rds_snapshot_without_tag_information/iam/428-policy.json b/terraform/ecc-aws-428-rds_snapshot_without_tag_information/iam/428-policy.json index 0eb846af2..e506edf5e 100644 --- a/terraform/ecc-aws-428-rds_snapshot_without_tag_information/iam/428-policy.json +++ b/terraform/ecc-aws-428-rds_snapshot_without_tag_information/iam/428-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBSnapshots", - "tag:GetResources" + "rds:DescribeDBSnapshots" ], "Resource": "*" } diff --git a/terraform/ecc-aws-431-sns_without_tag_information/iam/431-policy.json b/terraform/ecc-aws-431-sns_without_tag_information/iam/431-policy.json index 43ad1bfe9..6f28f05c3 100644 --- a/terraform/ecc-aws-431-sns_without_tag_information/iam/431-policy.json +++ b/terraform/ecc-aws-431-sns_without_tag_information/iam/431-policy.json @@ -6,7 +6,6 @@ "Effect": "Allow", "Action": [ "tag:GetResources", - "sns:ListTagsForResource", "sns:ListTopics", "sns:GetTopicAttributes" ], diff --git a/terraform/ecc-aws-456-emr_imdsv1_disabled/iam/456-policy.json b/terraform/ecc-aws-456-emr_imdsv1_disabled/iam/456-policy.json index 522082dfd..0a53382ee 100644 --- a/terraform/ecc-aws-456-emr_imdsv1_disabled/iam/456-policy.json +++ b/terraform/ecc-aws-456-emr_imdsv1_disabled/iam/456-policy.json @@ -1,14 +1,15 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "elasticmapreduce:DescribeSecurityConfiguration", - "elasticmapreduce:ListClusters", - "elasticmapreduce:DescribeCluster" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticmapreduce:ListClusters", + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:ListSecurityConfigurations", + "elasticmapreduce:DescribeSecurityConfiguration" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-463-bucket_not_dns_compliant/iam/463-policy.json b/terraform/ecc-aws-463-bucket_not_dns_compliant/iam/463-policy.json index 53a7390fd..34114c700 100644 --- a/terraform/ecc-aws-463-bucket_not_dns_compliant/iam/463-policy.json +++ b/terraform/ecc-aws-463-bucket_not_dns_compliant/iam/463-policy.json @@ -12,11 +12,9 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", - "s3:GetBucketPolicy", - "s3:GetEncryptionConfiguration" + "s3:GetBucketPolicy" ], "Resource": "*" } diff --git a/terraform/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk/iam/479-policy.json b/terraform/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk/iam/479-policy.json index 77697516a..b6288bdfc 100644 --- a/terraform/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk/iam/479-policy.json +++ b/terraform/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk/iam/479-policy.json @@ -6,9 +6,8 @@ "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", - "kms:ListKeys", - "kms:DescribeKey", - "tag:GetResources" + "tag:GetResources", + "kms:ListAliases" ], "Resource": "*" } diff --git a/terraform/ecc-aws-501-opensearch_access_control_enabled/iam/501-policy.json b/terraform/ecc-aws-501-opensearch_access_control_enabled/iam/501-policy.json index 59f1771e8..6fb06d1d8 100644 --- a/terraform/ecc-aws-501-opensearch_access_control_enabled/iam/501-policy.json +++ b/terraform/ecc-aws-501-opensearch_access_control_enabled/iam/501-policy.json @@ -1,15 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:DescribeDomains", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled/iam/502-policy.json b/terraform/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled/iam/502-policy.json index 805b5cf76..e915b6bbc 100644 --- a/terraform/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled/iam/502-policy.json +++ b/terraform/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled/iam/502-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-504-rds_instance_default_admin_check/iam/504-policy.json b/terraform/ecc-aws-504-rds_instance_default_admin_check/iam/504-policy.json index 805b5cf76..e915b6bbc 100644 --- a/terraform/ecc-aws-504-rds_instance_default_admin_check/iam/504-policy.json +++ b/terraform/ecc-aws-504-rds_instance_default_admin_check/iam/504-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-507-sns_topic_message_delivery_notification_enabled/iam/507-policy.json b/terraform/ecc-aws-507-sns_topic_message_delivery_notification_enabled/iam/507-policy.json index c45a6024e..a76a1e475 100644 --- a/terraform/ecc-aws-507-sns_topic_message_delivery_notification_enabled/iam/507-policy.json +++ b/terraform/ecc-aws-507-sns_topic_message_delivery_notification_enabled/iam/507-policy.json @@ -6,7 +6,8 @@ "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", - "sns:ListTagsForResource" + "sns:ListTagsForResource", + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-518-s3_version_lifecycle_policy_check/iam/518-policy.json b/terraform/ecc-aws-518-s3_version_lifecycle_policy_check/iam/518-policy.json index 53a7390fd..34114c700 100644 --- a/terraform/ecc-aws-518-s3_version_lifecycle_policy_check/iam/518-policy.json +++ b/terraform/ecc-aws-518-s3_version_lifecycle_policy_check/iam/518-policy.json @@ -12,11 +12,9 @@ "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetBucketVersioning", - "s3:GetBucketLifecycle", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", - "s3:GetBucketPolicy", - "s3:GetEncryptionConfiguration" + "s3:GetBucketPolicy" ], "Resource": "*" } diff --git a/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json b/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json index 805b5cf76..e915b6bbc 100644 --- a/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json +++ b/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json index 59f1771e8..6fb06d1d8 100644 --- a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json @@ -1,15 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:DescribeDomains", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json index a85e973a9..6fb06d1d8 100644 --- a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json @@ -1,15 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "es:DescribeDomains", - "es:DescribeElasticsearchDomains", - "es:ListTags" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:ListDomainNames", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json index 805b5cf76..e915b6bbc 100644 --- a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json @@ -4,8 +4,7 @@ { "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "tag:GetResources" + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json b/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json index 48a4553f7..d54868af8 100644 --- a/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json +++ b/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json @@ -5,7 +5,7 @@ "Effect": "Allow", "Action": [ "ec2:DescribeReservedDBInstances", - "tagging:GetResources" + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-592-reserved_rds_instance_payment_pending/iam/592-policy.json b/terraform/ecc-aws-592-reserved_rds_instance_payment_pending/iam/592-policy.json index 48a4553f7..d54868af8 100644 --- a/terraform/ecc-aws-592-reserved_rds_instance_payment_pending/iam/592-policy.json +++ b/terraform/ecc-aws-592-reserved_rds_instance_payment_pending/iam/592-policy.json @@ -5,7 +5,7 @@ "Effect": "Allow", "Action": [ "ec2:DescribeReservedDBInstances", - "tagging:GetResources" + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-593-reserved_rds_instance_recent_purchases/iam/593-policy.json b/terraform/ecc-aws-593-reserved_rds_instance_recent_purchases/iam/593-policy.json index 48a4553f7..d54868af8 100644 --- a/terraform/ecc-aws-593-reserved_rds_instance_recent_purchases/iam/593-policy.json +++ b/terraform/ecc-aws-593-reserved_rds_instance_recent_purchases/iam/593-policy.json @@ -5,7 +5,7 @@ "Effect": "Allow", "Action": [ "ec2:DescribeReservedDBInstances", - "tagging:GetResources" + "tag:GetResources" ], "Resource": "*" } diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json b/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json index b8598f1d5..d9d947ec0 100644 --- a/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json @@ -5,6 +5,7 @@ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", + "ec2:DescribeImages", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "ec2:DescribeTags" From 3e11dd211916b4e3135be3df555c5b8509d88ea8 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Fri, 21 Jun 2024 21:36:20 +0300 Subject: [PATCH 2/3] upd: update iam/All-permissions_*.json --- iam/All-permissions_1.json | 91 +++++++----------- iam/All-permissions_2.json | 94 ++++++++++++++----- .../iam/313-policy.json | 3 +- 3 files changed, 105 insertions(+), 83 deletions(-) diff --git a/iam/All-permissions_1.json b/iam/All-permissions_1.json index 013516352..ba0522c05 100644 --- a/iam/All-permissions_1.json +++ b/iam/All-permissions_1.json @@ -5,6 +5,7 @@ "Effect": "Allow", "Action": [ "access-analyzer:ListAnalyzers", + "access-analyzer:ListFindings", "acm:DescribeCertificate", "acm:ListCertificates", "airflow:GetEnvironment", @@ -12,25 +13,30 @@ "apigateway:GET", "appflow:DescribeFlow", "appflow:ListFlows", - "appsync:ListGraphqlApis", - "appsync:GetGraphqlApi", + "application-autoscaling:DescribeScalableTargets", "appsync:GetApiCache", + "appsync:GetGraphqlApi", + "appsync:ListGraphqlApis", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "backup:GetBackupPlan", "backup:ListBackupPlans", "backup:ListBackupVaults", "backup:ListTags", + "batch:DescribeComputeEnvironments", "cloudformation:DescribeStacks", + "cloudformation:ListStacks", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", - "cloudwatch:GetMetricStatistics", "cloudwatch:DescribeAlarms", + "cloudwatch:DescribeAlarmsForMetric", + "cloudwatch:GetMetricStatistics", "codebuild:BatchGetProjects", "codebuild:ListProjects", + "codedeploy:GetDeploymentConfig", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", @@ -64,6 +70,10 @@ "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", + "ec2:DescribeReservedDBInstances", + "ec2:DescribeReservedElasticsearchInstances", + "ec2:DescribeReservedInstances", + "ec2:DescribeReservedNodes", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", @@ -82,7 +92,6 @@ "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetEbsEncryptionByDefault", - "ec2:DescribeReservedInstances", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:ListTagsForResource", @@ -97,11 +106,14 @@ "eks:DescribeCluster", "eks:ListClusters", "elasticache:DescribeCacheClusters", + "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", + "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:ListTagsForResource", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeLifecycleConfiguration", + "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", @@ -110,45 +122,51 @@ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:DescribeCluster", - "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeSecurityConfiguration", + "elasticmapreduce:ListClusters", + "elasticmapreduce:ListSecurityConfigurations", "es:DescribeDomains", - "es:DescribeElasticsearchDomain", - "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", - "es:DescribeInboundConnections", - "es:ESHttpGet", "es:ListDomainNames", "es:ListTags", "events:ListEventBuses", + "events:ListTargetsByRule", + "events:ListRules", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "fsx:DescribeBackups", "fsx:DescribeFileSystems", + "fsx:DescribeVolumes", "glacier:GetVaultAccessPolicy", "glacier:ListTagsForVault", "glacier:ListVaults", "glue:GetDataCatalogEncryptionSettings", "glue:GetJobs", "glue:GetSecurityConfigurations", + "guardduty:GetDetector", + "guardduty:GetMasterAccount", "guardduty:ListDetectors", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetPolicy", + "iam:GetPolicyVersion", "iam:GetRole", "iam:GetUser", "iam:ListAccessKeys", "iam:ListAccountAliases", + "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListGroups", "iam:ListMFADevices", + "iam:ListPolicies", "iam:ListRoles", "iam:ListServerCertificates", "iam:ListUserPolicies", "iam:ListUsers", - "kafka:ListClusters", + "iam:ListVirtualMFADevices", + "kafka:ListClustersV2", "kinesis:DescribeStream", "kinesis:ListStreams", "kinesisvideo:ListStreams", @@ -158,68 +176,29 @@ "kms:ListKeys", "kms:listAliases", "lambda:GetFunction", + "lambda:GetFunctionCodeSigningConfig", "lambda:GetFunctionConcurrency", + "lambda:GetFunctionConfiguration", "lambda:ListFunctions", "lightsail:GetInstances", "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "mq:DescribeBroker", "mq:ListBrokers", + "organizations:DescribeOrganization", "qldb:DescribeLedger", "qldb:ListLedgers", + "rds:DescribeDBClusterParameters", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBParameters", - "rds:DescribeOptionGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", - "rds:DescribeDBClusterParameters", + "rds:DescribeEventSubscriptions", + "rds:DescribeOptionGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", - "redshift:DescribeLoggingStatus", - "route53:ListHostedZones", - "route53:ListQueryLoggingConfigs", - "route53:ListResourceRecordSets", - "route53:ListTagsForResources", - "route53domains:ListDomains", - "route53domains:ListTagsForDomain", - "s3:GetBucketAcl", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketNotification", - "s3:GetBucketPolicy", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetLifecycleConfiguration", - "s3:GetReplicationConfiguration", - "s3:ListAllMyBuckets", - "s3:GetEncryptionConfiguration", - "s3:GetBucketPublicAccessBlock", - "sagemaker:DescribeEndpointConfig", - "sagemaker:DescribeModel", - "sagemaker:DescribeNotebookInstance", - "sagemaker:ListEndpointConfigs", - "sagemaker:ListModels", - "sagemaker:ListNotebookInstances", - "sagemaker:ListTags", - "securityhub:DescribeHub", - "sns:GetTopicAttributes", - "sns:ListTagsForResource", - "sns:ListTopics", - "sqs:GetQueueAttributes", - "sqs:ListQueues", - "ssm:DescribeInstanceInformation", - "ssm:ListResourceComplianceSummaries", - "states:DescribeStateMachine", - "states:ListStateMachine", - "tag:GetResources", - "waf-regional:ListResourcesForWebACL", - "waf-regional:ListWebACLs", - "waf-regional:GetWebACL", - "waf:GetWebACL", - "waf:ListWebACLs", - "workspaces:DescribeWorkspaceDirectories" + "redshift:DescribeLoggingStatus" ], "Resource": "*" } diff --git a/iam/All-permissions_2.json b/iam/All-permissions_2.json index 2e2aac3da..bd42bb197 100644 --- a/iam/All-permissions_2.json +++ b/iam/All-permissions_2.json @@ -1,27 +1,71 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "batch:DescribeComputeEnvironments", - "cloudformation:ListStacks", - "cloudwatch:DescribeAlarmsForMetric", - "events:ListRules", - "events:ListTargetsByRule", - "guardduty:GetDetector", - "guardduty:GetMasterAccount", - "iam:ListVirtualMFADevices", - "iam:ListAttachedRolePolicies", - "kafka:ListClustersV2", - "lambda:GetFunctionConfiguration", - "wafv2:ListWebACLs", - "workspaces:DescribeWorkspaceImages", - "workspaces:DescribeWorkspaces", - "workspaces:DescribeWorkspacesConnectionStatus", - "xray:GetEncryptionConfig" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListQueryLoggingConfigs", + "route53:ListResourceRecordSets", + "route53:ListTagsForResources", + "route53domains:ListDomains", + "route53domains:ListTagsForDomain", + "s3:GetBucketAcl", + "s3:GetBucketLifecycle", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketNotification", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketReplication", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetObject", + "s3:GetReplicationConfiguration", + "s3:ListAllMyBuckets", + "s3:ListBucket", + "sagemaker:DescribeEndpointConfig", + "sagemaker:DescribeModel", + "sagemaker:DescribeNotebookInstance", + "sagemaker:ListEndpointConfigs", + "sagemaker:ListModels", + "sagemaker:ListNotebookInstances", + "sagemaker:ListTags", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecrets", + "securityhub:DescribeHub", + "sns:GetTopicAttributes", + "sns:ListTagsForResource", + "sns:ListTopics", + "sqs:GetQueueAttributes", + "sqs:ListQueues", + "ssm:DescribeInstanceInformation", + "ssm:ListResourceComplianceSummaries", + "states:DescribeStateMachine", + "states:ListStateMachine", + "tag:GetResources", + "waf-regional:GetWebACL", + "waf-regional:ListResourcesForWebACL", + "waf-regional:ListWebACLs", + "waf:GetRule", + "waf:GetWebACL", + "waf:ListActivatedRulesInRuleGroup", + "waf:ListRuleGroups", + "waf:ListRules", + "waf:ListWebACLs", + "wafv2:ListWebACLs", + "workspaces:DescribeWorkspaceDirectories", + "workspaces:DescribeWorkspaceImages", + "workspaces:DescribeWorkspaces", + "workspaces:DescribeWorkspacesConnectionStatus", + "xray:GetEncryptionConfig" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk/iam/313-policy.json b/terraform/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk/iam/313-policy.json index 44b4d318d..6a4a10be4 100644 --- a/terraform/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk/iam/313-policy.json +++ b/terraform/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk/iam/313-policy.json @@ -4,9 +4,8 @@ { "Effect": "Allow", "Action": [ - "dms:ListTagsForResource", "dms:DescribeReplicationInstances", - "kms:DescribeKey", + "dms:ListTagsForResource", "kms:ListAliases", "tag:GetResources" ], From 2b080c81582f4da2829d5e05576cb828c205877c Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Wed, 26 Jun 2024 22:36:04 +0300 Subject: [PATCH 3/3] upd: update policy minimal IAM permissions file for a number of policies --- .../iam/108-policy.json | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/terraform/ecc-aws-108-cloudfront_distribution_access_logging/iam/108-policy.json b/terraform/ecc-aws-108-cloudfront_distribution_access_logging/iam/108-policy.json index d80f22ff9..c9a63f90f 100644 --- a/terraform/ecc-aws-108-cloudfront_distribution_access_logging/iam/108-policy.json +++ b/terraform/ecc-aws-108-cloudfront_distribution_access_logging/iam/108-policy.json @@ -1,12 +1,14 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudfront:GetDistributionConfig" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudfront:ListDistributions", + "cloudfront:GetDistributionConfig", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} \ No newline at end of file