From 0a010bcb416a11b8323e8a0113464a22c1ecbd69 Mon Sep 17 00:00:00 2001 From: Jingjing Zhang Date: Fri, 8 Dec 2023 16:36:06 -0800 Subject: [PATCH] permisionChange --- README.md | 39 +++++---------------------------------- main.tf | 44 ++++++++++---------------------------------- 2 files changed, 15 insertions(+), 68 deletions(-) diff --git a/README.md b/README.md index f392b82..6aad045 100644 --- a/README.md +++ b/README.md @@ -101,40 +101,8 @@ The audit policy is comprised of the following permissions: | SSO | sso:DescribeAccountAssignmentDeletionStatus | * | | | sso:DescribeInstanceAccessControlAttributeConfiguration | | | | sso:GetInlinePolicyForPermissionSet | | -| APIGATEWAY | apigateway:GetApiKeys | * | -| | apigateway:GetAuthorizers | | -| | apigateway:GetBasePathMappings | | -| | apigateway:GetClientCertificates | | -| | apigateway:GetDeployments | | -| | apigateway:GetDocumentationParts | | -| | apigateway:GetDocumentationVersions | | -| | apigateway:GetDomainNames | | -| | apigateway:GetGatewayResponses | | -| | apigateway:GetModels | | -| | apigateway:GetModelTemplate | | -| | apigateway:GetRequestValidators | | -| | apigateway:GetResources | | -| | apigateway:GetRestApis | | -| | apigateway:GetSdk | | -| | apigateway:GetSdkTypes | | -| | apigateway:GetStages | | -| | apigateway:GetTags | | -| | apigateway:GetUsagePlanKeys | | -| | apigateway:GetUsagePlans | | -| | apigateway:GetVpcLinks | | -| APIGATEWAYV2 | apigatewayv2:GetApis | * | -| | apigatewayv2:GetApiMappings | | -| | apigatewayv2:GetAuthorizers | | -| | apigatewayv2:GetDeployments | | -| | apigatewayv2:GetDomainNames | | -| | apigatewayv2:GetIntegrations | | -| | apigatewayv2:GetIntegrationResponses | | -| | apigatewayv2:GetModelTemplate | | -| | apigatewayv2:GetModels | | -| | apigatewayv2:GetRoute | | -| | apigatewayv2:GetRouteResponses | | -| | apigatewayv2:GetStages | | -| | apigatewayv2:GetVpcLinks | | +| APIGATEWAY | apigateway:GET | * | +| APIGATEWAYV2 | apigatewayv2:GET | * | | WAFREGIONAL | waf-regional:ListRules | * | | | waf-regional:GetRule | | | | waf-regional:ListRuleGroups | | @@ -145,3 +113,6 @@ The audit policy is comprised of the following permissions: | | glue:GetTags | | | CODEBUILD | codebuild:ListBuilds | * | | | codebuild:BatchGetBuilds | | +| SNS | sns:GetDataProtectionPolicy | * | +| | sns:ListPlatformApplications | | +| | sns:GetSubscriptionAttributes | | \ No newline at end of file diff --git a/main.tf b/main.tf index c3a630b..5e4ca35 100644 --- a/main.tf +++ b/main.tf @@ -93,45 +93,13 @@ data "aws_iam_policy_document" "lacework_audit_policy" { statement { sid = "APIGATEWAY" - actions = ["apigateway:GetApiKeys", - "apigateway:GetAuthorizers", - "apigateway:GetBasePathMappings", - "apigateway:GetClientCertificates", - "apigateway:GetDeployments", - "apigateway:GetDocumentationParts", - "apigateway:GetDocumentationVersions", - "apigateway:GetDomainNames", - "apigateway:GetGatewayResponses", - "apigateway:GetModels", - "apigateway:GetModelTemplate", - "apigateway:GetRequestValidators", - "apigateway:GetResources", - "apigateway:GetRestApis", - "apigateway:GetSdk", - "apigateway:GetSdkTypes", - "apigateway:GetStages", - "apigateway:GetTags", - "apigateway:GetUsagePlanKeys", - "apigateway:GetUsagePlans", - "apigateway:GetVpcLinks"] + actions = ["apigateway:GET"] resources = ["*"] } statement { sid = "APIGATEWAYV2" - actions = ["apigatewayv2:GetApis", - "apigatewayv2:GetApiMappings", - "apigatewayv2:GetAuthorizers", - "apigatewayv2:GetDeployments", - "apigatewayv2:GetDomainNames", - "apigatewayv2:GetIntegrations", - "apigatewayv2:GetIntegrationResponses", - "apigatewayv2:GetModelTemplate", - "apigatewayv2:GetModels", - "apigatewayv2:GetRoute", - "apigatewayv2:GetRouteResponses", - "apigatewayv2:GetStages", - "apigatewayv2:GetVpcLinks"] + actions = ["apigatewayv2:GET"] resources = ["*"] } statement { @@ -151,6 +119,14 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } + statement { + sid = "SNS" + actions = ["sns:GetDataProtectionPolicy", + "sns:ListPlatformApplications", + "sns:GetSubscriptionAttributes", + ] + resources = ["*"] + } statement { sid = "CODEBUILD" actions = ["codebuild:ListBuilds",