From 95362dce7145be6eaa228b784ac24f53714c9607 Mon Sep 17 00:00:00 2001 From: John Date: Tue, 27 Jun 2023 08:52:38 +1200 Subject: [PATCH 1/2] Update control-tower-integration.template.yaml Due to customer feedback around Lacework broad permissions requests - limit the Sid "StackSetInstanceDelete" permissions to "lacework-*" prefixed resources only. Also break "StackSetInstanceDescribeStackSetOperation" out into its own Sid without the limitation --- templates/control-tower-integration.template.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/templates/control-tower-integration.template.yaml b/templates/control-tower-integration.template.yaml index 55498ab..e7c2b70 100644 --- a/templates/control-tower-integration.template.yaml +++ b/templates/control-tower-integration.template.yaml @@ -356,11 +356,16 @@ Resources: - organizations:DescribeAccount Resource: !Join ['', ['arn:aws:cloudformation:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':stackset/', '*' ]] - - Sid: StackSetInstanceDelete + - Sid: StackSetInstanceDelete Effect: Allow Action: - cloudformation:DeleteStackSet - cloudformation:DeleteStackInstances + Resource: + !Join ['', ['arn:aws:cloudformation:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':stackset/', 'Lacework-*' ]] + - Sid: StackSetInstanceDescribeStackSetOperation + Effect: Allow + Action: - cloudformation:DescribeStackSetOperation Resource: !Join ['', ['arn:aws:cloudformation:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':stackset/', '*' ]] @@ -623,4 +628,4 @@ Resources: Action: lambda:InvokeFunction FunctionName: !GetAtt "LaceworkAccountFunction.Arn" Principal: events.amazonaws.com - SourceArn: !GetAtt "LaceworkControlTowerEvents.Arn" \ No newline at end of file + SourceArn: !GetAtt "LaceworkControlTowerEvents.Arn" From f4442dbbb3cbbd52e08757c52b34d68473bde143 Mon Sep 17 00:00:00 2001 From: John Date: Tue, 27 Jun 2023 09:29:40 +1200 Subject: [PATCH 2/2] Update control-tower-integration.template.yaml Added missing space to appease the yaml gods --- templates/control-tower-integration.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/control-tower-integration.template.yaml b/templates/control-tower-integration.template.yaml index e7c2b70..efdd1ff 100644 --- a/templates/control-tower-integration.template.yaml +++ b/templates/control-tower-integration.template.yaml @@ -356,7 +356,7 @@ Resources: - organizations:DescribeAccount Resource: !Join ['', ['arn:aws:cloudformation:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':stackset/', '*' ]] - - Sid: StackSetInstanceDelete + - Sid: StackSetInstanceDelete Effect: Allow Action: - cloudformation:DeleteStackSet