diff --git a/README.md b/README.md index 840c204..a8e9a23 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,31 @@ The audit policy is comprised of the following permissions: | | ses:ListRecommendations | | | | ses:ListSuppressedDestinations | | | | ses:GetSuppressedDestination | | -| COMPUTEOPTIMIZER | compute-optimizer:DescribeRecommendationExportJobs | * | +| BACKUP | backup:ListBackupJobs | * | +| | backup:DescribeBackupJob | | +| | backup:ListBackupPlanTemplates | | +| | backup:GetBackupPlanFromTemplate | | +| | backup:ListBackupPlans | | +| | backup:GetBackupPlan | | +| | backup:ListBackupPlanVersions | | +| | backup:ListBackupSelections | | +| | backup:GetBackupSelection | | +| | backup:DescribeBackupVault | | +| | backup:ListRecoveryPointsByBackupVault | | +| | backup:DescribeRecoveryPoint | | +| | backup:GetRecoveryPointRestoreMetadata | | +| | backup:ListCopyJobs | | +| | backup:ListFrameworks | | +| | backup:DescribeFramework | | +| | backup:ListLegalHolds | | +| | backup:GetLegalHold | | +| | backup:ListRecoveryPointsByLegalHold | | +| | backup:ListProtectedResources | | +| | backup:DescribeProtectedResource | | +| | backup:ListRecoveryPointsByResource | | +| | backup:ListReportPlans | | +| | backup:ListRestoreJobs | | +| COMPUTEOPTIMIZER | compute-optimizer:DescribeRecommendationExportJobs | * | | | compute-optimizer:GetAutoScalingGroupRecommendations | | | | compute-optimizer:GetEffectiveRecommendationPreferences | | | | compute-optimizer:GetEBSVolumeRecommendations | | diff --git a/main.tf b/main.tf index 4809e64..ae4942d 100644 --- a/main.tf +++ b/main.tf @@ -156,7 +156,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } - statement { + statement { sid = "SES" actions = ["ses:ListContactLists", "ses:GetContactList", @@ -181,6 +181,36 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } + statement { + sid = "BACKUP" + actions = ["backup:ListBackupJobs", + "backup:DescribeBackupJob", + "backup:ListBackupPlanTemplates", + "backup:GetBackupPlanFromTemplate", + "backup:ListBackupPlans", + "backup:GetBackupPlan", + "backup:ListBackupPlanVersions", + "backup:ListBackupSelections", + "backup:GetBackupSelection", + "backup:DescribeBackupVault", + "backup:ListRecoveryPointsByBackupVault", + "backup:DescribeRecoveryPoint", + "backup:GetRecoveryPointRestoreMetadata", + "backup:ListCopyJobs", + "backup:ListFrameworks", + "backup:DescribeFramework", + "backup:ListLegalHolds", + "backup:GetLegalHold", + "backup:ListRecoveryPointsByLegalHold", + "backup:ListProtectedResources", + "backup:DescribeProtectedResource", + "backup:ListRecoveryPointsByResource", + "backup:ListReportPlans", + "backup:ListRestoreJobs", + ] + resources = ["*"] + } + statement { sid = "COMPUTEOPTIMIZER" actions = [