Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the cloudguard readonly policy to the latest permissions #5

Merged
merged 1 commit into from
May 16, 2024
Merged

Update the cloudguard readonly policy to the latest permissions #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
346 changes: 169 additions & 177 deletions modules/dome9/maint.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,184 +138,176 @@ resource "aws_iam_policy" "readonly-policy" {
description = ""
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudGuardReadOnly",
"Action": [
"appfabric:ListAppBundles",
"appfabric:GetAppBundle",
"appfabric:ListTagsForResource",
"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabaseParameters",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetDomains",
"lightsail:GetDistributions",
"batch:DescribeJobQueues",
"kinesisanalytics:ListTagsForResource",
"ram:GetResourceShares",
"appflow:ListConnectors",
"airflow:GetEnvironment",
"account:GetAlternateContact",
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"backup:ListBackupVaults",
"backup:ListTags",
"cassandra:Select",
"cognito-identity:DescribeIdentityPool",
"codeartifact:ListDomains",
"codeartifact:DescribeDomain",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListTagsForResource",
"codeartifact:DescribeRepository",
"codebuild:GetResourcePolicy",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"compute-optimizer:GetRecommendationSummaries",
"macie2:DescribeBuckets",
"macie2:GetMacieSession",
"macie2:GetFindingStatistics",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glacier:ListTagsForVault",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"glue:GetMLTransforms",
"glue:GetCrawlers",
"glue:GetDevEndpoints",
"glue:GetJobs",
"glue:GetDataCatalogEncryptionSettings",
"healthlake:ListFHIRDatastores",
"healthlake:ListTagsForResource",
"inspector2:ListFindings",
"inspector2:BatchGetAccountStatus",
"inspector2:ListFindingAggregations",
"inspector2:ListCoverage",
"kafka:ListClusters",
"kendra:ListTagsForResource",
"devops-guru:DescribeServiceIntegration",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"codebuild:ListBuilds",
"codebuild:BatchGetBuilds",
"codepipeline:ListWebhooks",
"memorydb:DescribeACLs",
"memorydb:DescribeParameters",
"memorydb:DescribeSnapshots",
"memorydb:DescribeUsers",
"memorydb:ListTags",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"network-firewall:DescribeRuleGroup",
"network-firewall:DescribeFirewallPolicy",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"personalize:ListTagsForResource",
"s3:List*",
"secretsmanager:DescribeSecret",
"ses:ListEmailIdentities",
"ses:GetEmailIdentity",
"ses:ListConfigurationSets",
"ses:GetConfigurationSet",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile",
"ecr:GetRegistryScanningConfiguration",
"ecr:DescribeRegistry",
"appstream:DescribeUsageReportSubscriptions",
"aps:ListWorkspaces",
"aps:DescribeWorkspace",
"aps:DescribeLoggingConfiguration",
"cloudformation:ListTypes",
"cloudformation:DescribeType",
"cloudformation:BatchDescribeTypeConfigurations",
"amplify:ListApps",
"serverlessrepo:GetApplication",
"simspaceweaver:ListSimulations",
"simspaceweaver:ListTagsForResource",
"simspaceweaver:DescribeSimulation",
"grafana:DescribeWorkspace",
"mediaconvert:ListJobs",
"mediaconvert:ListPresets",
"mediaconvert:ListQueues",
"mediaconvert:ListTagsForResource",
"mediapackage:ListChannels",
"mediastore:ListTagsForResource",
"mediatailor:ListChannels",
"mediatailor:GetChannelPolicy",
"mediatailor:ListPlaybackConfigurations",
"mediatailor:ListSourceLocations",
"mediapackage:ListHarvestJobs",
"dataexchange:ListTagsForResource",
"dataexchange:ListEventActions",
"dataexchange:ListJobs",
"elastictranscoder:ListPresets",
"medialive:ListInputs",
"medialive:ListMultiplexes",
"medialive:ListReservations",
"medialive:ListInputSecurityGroups",
"drs:DescribeJobs",
"drs:DescribeJobLogItems",
"drs:DescribeSourceServers",
"drs:DescribeRecoverySnapshots",
"drs:DescribeSourceNetworks",
"drs:DescribeRecoveryInstances",
"drs:GetFailbackReplicationConfiguration",
"drs:DescribeReplicationConfigurationTemplates",
"drs:DescribeLaunchConfigurationTemplates",
"timestream:ListBatchLoadTasks",
"timestream:ListDatabases",
"timestream:ListTables",
"timestream:ListTagsForResource",
"timestream:DescribeEndpoints",
"signer:ListTagsForResource",
"signer:ListSigningJobs",
"signer:ListSigningPlatforms",
"signer:ListSigningProfiles",
"storagegateway:DescribeSMBFileShares",
"nimble:ListStudios",
"ds:ListTagsForResource",
"support:DescribeCases",
"support:DescribeSeverityLevels",
"outposts:ListOutposts"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ElasticbeanstalkConfigurationSettingsPermission",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-env-resources-??*?/*"
}
]
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudGuardReadOnly",
"Effect": "Allow",
"Action": [
"fms:ListTagsForResource",
"fms:GetAdminScope",
"fms:GetPolicy",
"fms:ListAdminAccountsForOrganization",
"forecast:DescribeDataset",
"forecast:DescribeAutoPredictor",
"forecast:DescribePredictor",
"forecast:ListDatasetGroups",
"forecast:ListExplainabilities",
"forecast:ListForecasts",
"forecast:ListMonitors",
"forecast:ListPredictors",
"forecast:ListTagsForResource",
"appfabric:ListAppBundles",
"appfabric:GetAppBundle",
"appfabric:ListTagsForResource",
"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabaseParameters",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetDomains",
"lightsail:GetDistributions",
"batch:DescribeJobQueues",
"kinesisanalytics:ListTagsForResource",
"appflow:ListConnectors",
"airflow:GetEnvironment",
"apigateway:GET",
"athena:GetQueryExecution",
"backup:ListTags",
"cassandra:Select",
"codeartifact:ListDomains",
"codeartifact:DescribeDomain",
"codeartifact:ListTagsForResource",
"codeartifact:DescribeRepository",
"codebuild:GetResourcePolicy",
"compute-optimizer:GetRecommendationSummaries",
"macie2:DescribeBuckets",
"macie2:GetMacieSession",
"macie2:GetFindingStatistics",
"verifiedpermissions:ListPolicyStores",
"verifiedpermissions:GetPolicyStore",
"elasticfilesystem:Describe*",
"cloudhsm:DescribeClusters",
"cloudhsm:DescribeBackups",
"glacier:ListTagsForVault",
"glue:GetConnections",
"glue:GetMLTransforms",
"healthlake:ListTagsForResource",
"kendra:ListTagsForResource",
"devops-guru:DescribeServiceIntegration",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"codebuild:ListBuilds",
"codebuild:BatchGetBuilds",
"codepipeline:ListWebhooks",
"memorydb:DescribeACLs",
"memorydb:DescribeParameters",
"memorydb:DescribeSnapshots",
"memorydb:DescribeUsers",
"memorydb:ListTags",
"personalize:ListTagsForResource",
"s3:List*",
"ses:ListEmailIdentities",
"ses:GetEmailIdentity",
"ses:GetConfigurationSet",
"sns:ListPlatformApplications",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"appstream:DescribeUsageReportSubscriptions",
"aps:ListWorkspaces",
"aps:DescribeWorkspace",
"aps:DescribeLoggingConfiguration",
"cloudformation:ListTypes",
"cloudformation:DescribeType",
"cloudformation:BatchDescribeTypeConfigurations",
"amplify:ListApps",
"serverlessrepo:GetApplication",
"simspaceweaver:ListSimulations",
"simspaceweaver:ListTagsForResource",
"simspaceweaver:DescribeSimulation",
"grafana:DescribeWorkspace",
"mediaconvert:ListJobs",
"mediaconvert:ListPresets",
"mediaconvert:ListQueues",
"mediaconvert:ListTagsForResource",
"mediapackage:ListChannels",
"mediastore:ListTagsForResource",
"mediatailor:ListChannels",
"mediatailor:GetChannelPolicy",
"mediatailor:ListPlaybackConfigurations",
"mediatailor:ListSourceLocations",
"mediapackage:ListHarvestJobs",
"dataexchange:ListTagsForResource",
"dataexchange:ListEventActions",
"dataexchange:ListJobs",
"elastictranscoder:ListPresets",
"medialive:ListInputs",
"medialive:ListMultiplexes",
"medialive:ListReservations",
"medialive:ListInputSecurityGroups",
"drs:DescribeJobs",
"drs:DescribeJobLogItems",
"drs:DescribeSourceServers",
"drs:DescribeRecoverySnapshots",
"drs:DescribeSourceNetworks",
"drs:DescribeRecoveryInstances",
"drs:GetFailbackReplicationConfiguration",
"drs:DescribeReplicationConfigurationTemplates",
"drs:DescribeLaunchConfigurationTemplates",
"timestream:ListBatchLoadTasks",
"timestream:ListDatabases",
"timestream:ListTables",
"timestream:ListTagsForResource",
"timestream:DescribeEndpoints",
"timestream:ListScheduledQueries",
"signer:ListTagsForResource",
"signer:ListSigningJobs",
"signer:ListSigningPlatforms",
"signer:ListSigningProfiles",
"storagegateway:DescribeSMBFileShares",
"ds:ListTagsForResource",
"support:DescribeCases",
"support:DescribeSeverityLevels",
"outposts:ListOutposts",
"waf-regional:ListLoggingConfigurations",
"wafv2:GetIPSet",
"finspace:ListTagsForResource",
"lakeformation:GetDataLakeSettings",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListTrainingJobs",
"sagemaker:ListNotebookInstances",
"cognito-idp:ListResourcesForWebACL",
"apprunner:ListAssociatedServicesForWebAcl",
"account:GetContactInformation"
],
"Resource": "*"
},
{
"Sid": "CloudGuardDeny",
"Effect": "Deny",
"Action": [
"glacier:GetJobOutput",
"s3:GetObjectTorrent",
"dynamodb:BatchGet*",
"dynamodb:PartiQLSelect",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:Get*",
"qldb:GetBlock",
"qldb:GetDigest",
"qldb:GetRevision",
"sdb:Select*"
],
"Resource": "*"
}
]
}

EOF
}

Expand Down
Loading