From e10d62a5abf8955fffd5914fa12c6218ae18a20c Mon Sep 17 00:00:00 2001 From: Rob Lambell Date: Mon, 8 Jan 2024 19:22:46 +0000 Subject: [PATCH 1/5] feat: add missing dynamodb action to policy.json describe table has been needed since https://github.com/tailwarden/komiser/pull/1111 --- policy.json | 1 + 1 file changed, 1 insertion(+) diff --git a/policy.json b/policy.json index 06a8d2c7d..ec7fdeebf 100644 --- a/policy.json +++ b/policy.json @@ -14,6 +14,7 @@ "cloudwatch:ListTagsForResource", "cloudwatch:ListDashboards", "cloudwatch:ListMetricStreams", + "dynamodb:DescribeTable", "dynamodb:ListTables", "sts:GetCallerIdentity", "dynamodb:ListTagsOfResource", From 1690e23ae661ad00bde4f06b0d9754a7d485160a Mon Sep 17 00:00:00 2001 From: Rob Lambell Date: Mon, 8 Jan 2024 19:59:08 +0000 Subject: [PATCH 2/5] feat: add missing lambda action to policy.json list event source mappings has been needed since https://github.com/tailwarden/komiser/pull/1040 --- policy.json | 1 + 1 file changed, 1 insertion(+) diff --git a/policy.json b/policy.json index ec7fdeebf..258fd27b8 100644 --- a/policy.json +++ b/policy.json @@ -84,6 +84,7 @@ "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:ListTagsForResource", "iam:ListInstanceProfileTags", + "lambda:ListEventSourceMappings", "lambda:ListFunctions", "lambda:ListTags", "es:ListDomainNames", From 1c2b07e57e38e0cc220fe38a94b3550ca1325b22 Mon Sep 17 00:00:00 2001 From: Rob Lambell Date: Mon, 8 Jan 2024 20:01:40 +0000 Subject: [PATCH 3/5] feat: add missing iam action to policy.json list users has been needed since https://github.com/tailwarden/komiser/pull/991 --- policy.json | 1 + 1 file changed, 1 insertion(+) diff --git a/policy.json b/policy.json index 258fd27b8..3683db4e8 100644 --- a/policy.json +++ b/policy.json @@ -56,6 +56,7 @@ "iam:ListRoles", "iam:ListSAMLProviders", "iam:ListSAMLProviderTags", + "iam:ListUsers", "kinesis:ListStreams", "kinesis:ListStreamConsumers", "kms:ListKeys", From 63d64f3b891372cb5007dffac0c061f25bb3b45f Mon Sep 17 00:00:00 2001 From: Rob Lambell Date: Mon, 8 Jan 2024 20:21:13 +0000 Subject: [PATCH 4/5] fix: correct s3 permission for list buckets api call listbucket iam action is for the contents of a bucket --- policy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy.json b/policy.json index 3683db4e8..506fa4092 100644 --- a/policy.json +++ b/policy.json @@ -90,7 +90,7 @@ "lambda:ListTags", "es:ListDomainNames", "es:DescribeDomains", - "s3:ListBucket" + "s3:ListAllMyBuckets" ], "Resource": "*" } From cad839342c4ac111f06dd289ba825609e4dfed04 Mon Sep 17 00:00:00 2001 From: Rob Lambell Date: Mon, 8 Jan 2024 20:33:34 +0000 Subject: [PATCH 5/5] feat: add missing code suite actions to policy.json needed since https://github.com/tailwarden/komiser/pull/1216, https://github.com/tailwarden/komiser/pull/1229, and https://github.com/tailwarden/komiser/pull/1228 --- policy.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy.json b/policy.json index 506fa4092..b390c818a 100644 --- a/policy.json +++ b/policy.json @@ -6,6 +6,11 @@ "Effect": "Allow", "Action": [ "apigateway:GET", + "codecommit:ListRepositories", + "codecommit:ListTagsForResource", + "codebuild:ListProjects", + "codedeploy:ListApplications", + "codedeploy:ListDeploymentGroups", "cloudwatch:GetMetricStatistics", "cloudfront:ListDistributions", "cloudfront:ListFunctions",