feat: add RDS/Lambda/EBS/S3 permissions for infrastructure explorer

n3ziniuka5 · n3ziniuka5 · commit d48d4d8ee6a8 · 2025-11-11T18:07:01.000+02:00
diff --git a/coralogix-policies/coralogix-infrastructure-explorer/CHANGELOG.md b/coralogix-policies/coralogix-infrastructure-explorer/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 ## infrastructure explorer
 
+### 0.0.6 / 5.11.2025 Add RDS permissions
+
+- [update] Scanning for RDS instances
+- [update] Scanning for Lambda functions
+- [update] Scanning for EBS volumes
+- [update] Scanning for S3 buckets
+
 ### 0.0.5 /4.9.2025 Add output to the role that the module will create
 
 - [update] Add output `ExternalId` to the role that the module will create
@@ -14,7 +21,7 @@
 
 ### 0.0.3 / 30.9.2024
 * [update] Add ec2:DescribeNetworkInterfaces
-* 
+*
 ### 0.0.2 / 2.9.2024
 * [update] Add option to run module in AP3 region
 
diff --git a/coralogix-policies/coralogix-infrastructure-explorer/template.yaml b/coralogix-policies/coralogix-infrastructure-explorer/template.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: The module will create a role to allow Coralogix scrape AWS infrastructure metadata
+Description: The module will create a role to allow Coralogix to scrape AWS infrastructure metadata
 Parameters:
   ExternalIdSecret:
     Description: "ExternalIdSecret for sts:AssumeRole"
@@ -83,7 +83,11 @@ Resources:
                 - aws_account_id: !If
                     - IsCustomAWSAccountId
                     - !Ref CustomAWSAccountId
-                    - !FindInMap [CoralogixEnvironment, !Ref CoralogixRegion, "ID"]
+                    - !FindInMap [
+                        CoralogixEnvironment,
+                        !Ref CoralogixRegion,
+                        "ID",
+                      ]
                   role_suffix:
                     !FindInMap [
                       CoralogixEnvironment,
@@ -110,6 +114,33 @@ Resources:
                   - "ec2:DescribeRegions"
                   - "ec2:DescribeTransitGateway*"
                   - "ec2:DescribeNetworkInterfaces"
+                  - "ec2:DescribeVolumes"
+                Resource: "*"
+        - PolicyName: CoralogixDescribeRdsPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "rds:DescribeDBInstances"
+                  - "rds:DescribeReservedDBInstances"
+                Resource: "*"
+        - PolicyName: CoralogixListLambdaPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "lambda:ListFunctions"
+                Resource: "*"
+        - PolicyName: CoralogixListS3Policy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "s3:ListAllMyBuckets"
+                  - "s3express:ListAllMyDirectoryBuckets"
                 Resource: "*"
 
 Outputs:
