From e129ca11b7ba80cb7e0345df249334e62ffe256d Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 11:13:52 -0800 Subject: [PATCH 01/10] Adding a new policy to avoid iam policy char limit Adding permission for FIS and codeartifact Adding tag call permissions for ses,backup,amp --- README.md | 20 ++++++++++++++++++ main.tf | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) diff --git a/README.md b/README.md index e58f159..0283ac7 100644 --- a/README.md +++ b/README.md @@ -195,3 +195,23 @@ The audit policy is comprised of the following permissions: | PERSONALIZE | personalize:Describe* | | | | personalize:List* | | | | personalize:GetSolutionMetrics | | +| CODEARTIFACT | codeartifact:ListDomains | * | +| | codeartifact:DescribeDomain | | +| | codeartifact:DescribeRepository | | +| | codeartifact:ListPackages | | +| | codeartifact:GetRepositoryEndpoint | | +| | codeartifact:DescribePackage | | +| | codeartifact:ListPackageVersions | | +| | codeartifact:DescribePackageVersion | | +| | codeartifact:GetPackageVersionReadme | | +| | codeartifact:ListPackageVersionDependencies | | +| | codeartifact:ListPackageVersionAssets | | +| | codeartifact:GetPackageVersionAsset | | +| FIS | fis:ListActions | * | +| | fis:GetAction | | +| | fis:ListExperimentTemplates | | +| | fis:GetExperimentTemplate | | +| | fis:ListTargetAccountConfigurations | | +| | fis:ListExperiments | | +| | fis:GetExperiment | | +| | fis:ListExperimentResolvedTargets | | \ No newline at end of file diff --git a/main.tf b/main.tf index 0bd8d0d..120a6d1 100644 --- a/main.tf +++ b/main.tf @@ -5,6 +5,7 @@ locals { lacework_audit_policy_name = ( length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}" ) + lacework_audit_policy_name_b = "${lacework_audit_policy_name}-b" version_file = "${abspath(path.module)}/VERSION" module_name = "terraform-aws-config" module_version = fileexists(local.version_file) ? file(local.version_file) : "" @@ -167,6 +168,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "ses:ListRecommendations", "ses:ListSuppressedDestinations", "ses:GetSuppressedDestination", + "ses:ListTagsForResource", ] resources = ["*"] } @@ -197,6 +199,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "backup:ListRecoveryPointsByResource", "backup:ListReportPlans", "backup:ListRestoreJobs", + "backup:ListTags", ] resources = ["*"] } @@ -248,6 +251,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "aps:DescribeWorkspace", "aps:ListRuleGroupsNamespaces", "aps:DescribeRuleGroupsNamespace", + "aps:ListTagsForResource", ] resources = ["*"] } @@ -270,6 +274,46 @@ data "aws_iam_policy_document" "lacework_audit_policy" { } } + +data "aws_iam_policy_document" "lacework_audit_policy_b" { + count = var.use_existing_iam_role_policy ? 0 : 1 + version = "2012-10-17" + + statement { + sid = "CODEARTIFACT" + actions = ["codeartifact:ListDomains", + "codeartifact:DescribeDomain", + "codeartifact:DescribeRepository", + "codeartifact:ListPackages", + "codeartifact:GetRepositoryEndpoint", + "codeartifact:DescribePackage", + "codeartifact:ListPackageVersions", + "codeartifact:DescribePackageVersion", + "codeartifact:GetPackageVersionReadme", + "codeartifact:ListPackageVersionDependencies", + "codeartifact:ListPackageVersionAssets", + "codeartifact:GetPackageVersionAsset", + "codeartifact:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "FIS" + actions = ["fis:ListActions", + "fis:GetAction", + "fis:ListExperimentTemplates", + "fis:GetExperimentTemplate", + "fis:ListTargetAccountConfigurations", + "fis:ListExperiments", + "fis:GetExperiment", + "fis:ListExperimentResolvedTargets", + "fis:ListTagsForResource", + ] + resources = ["*"] + } +} + resource "aws_iam_policy" "lacework_audit_policy" { count = var.use_existing_iam_role_policy ? 0 : 1 name = local.lacework_audit_policy_name @@ -278,6 +322,15 @@ resource "aws_iam_policy" "lacework_audit_policy" { tags = var.tags } + +resource "aws_iam_policy" "lacework_audit_policy_b" { + count = var.use_existing_iam_role_policy ? 0 : 1 + name = local.lacework_audit_policy_name_b + description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the second policy" + policy = data.aws_iam_policy_document.lacework_audit_policy_b[0].json + tags = var.tags +} + resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" { count = var.use_existing_iam_role_policy ? 0 : 1 role = local.iam_role_name @@ -285,6 +338,13 @@ resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" { depends_on = [module.lacework_cfg_iam_role] } +resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" { + count = var.use_existing_iam_role_policy ? 0 : 1 + role = local.iam_role_name + policy_arn = aws_iam_policy.lacework_audit_policy_b[0].arn + depends_on = [module.lacework_cfg_iam_role] +} + # wait for X seconds for things to settle down in the AWS side # before trying to create the Lacework external integration resource "time_sleep" "wait_time" { @@ -292,6 +352,7 @@ resource "time_sleep" "wait_time" { depends_on = [ aws_iam_role_policy_attachment.security_audit_policy_attachment, aws_iam_role_policy_attachment.lacework_audit_policy_attachment, + aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b, ] } From 97053b52a2d7594bce778bc87d1ad4619db5cecf Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 11:28:13 -0800 Subject: [PATCH 02/10] Fix bug --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 120a6d1..b31c5c7 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ locals { lacework_audit_policy_name = ( length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}" ) - lacework_audit_policy_name_b = "${lacework_audit_policy_name}-b" + lacework_audit_policy_name_b = "${local.lacework_audit_policy_name}-b" version_file = "${abspath(path.module)}/VERSION" module_name = "terraform-aws-config" module_version = fileexists(local.version_file) ? file(local.version_file) : "" From 705fcde3faa74925830653106e5c986d3e89e604 Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 11:39:53 -0800 Subject: [PATCH 03/10] remove empty line --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index b31c5c7..52b12f1 100644 --- a/main.tf +++ b/main.tf @@ -322,7 +322,6 @@ resource "aws_iam_policy" "lacework_audit_policy" { tags = var.tags } - resource "aws_iam_policy" "lacework_audit_policy_b" { count = var.use_existing_iam_role_policy ? 0 : 1 name = local.lacework_audit_policy_name_b From 3578f3d0718d54192af19b53df462587d8331e56 Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 14:36:47 -0800 Subject: [PATCH 04/10] Added comments to the code to explain why we need another policy Added explanation to the README file as well --- README.md | 1 + main.tf | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0283ac7..4f24ae8 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud ## Lacework Audit Policy The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. +As of 1/22/2025, we have exceeded the limit of 6144 characters for a single policy, thus every service starting with codeartifact are in a new policy. The audit policy is comprised of the following permissions: | sid | actions | resources | diff --git a/main.tf b/main.tf index 52b12f1..c82a379 100644 --- a/main.tf +++ b/main.tf @@ -274,7 +274,9 @@ data "aws_iam_policy_document" "lacework_audit_policy" { } } - +# AWS iam allows only 6144 characters in a single policy +# We've come to a point where there are too many actions in a single policy which is causing the policy to exceed the limit +# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_b" data "aws_iam_policy_document" "lacework_audit_policy_b" { count = var.use_existing_iam_role_policy ? 0 : 1 version = "2012-10-17" From e2cc25367b6635698960e256177a7fb6b0a4194f Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 14:39:42 -0800 Subject: [PATCH 05/10] Add terraform doc --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 4f24ae8..f0191aa 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,15 @@ Terraform module for configuring an integration with Lacework and AWS for cloud | Name | Type | |------|------| | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lacework_audit_policy_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [lacework_integration_aws_cfg.default](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_aws_cfg) | resource | | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lacework_audit_policy_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source | ## Inputs From 46fe02dce0a08a935f7cdb5107bfda55cee1193b Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 22 Jan 2025 15:15:26 -0800 Subject: [PATCH 06/10] Adding permission for kinesis video Adding permission for compute optimizer --- README.md | 6 +++++- main.tf | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f0191aa..c668a85 100644 --- a/README.md +++ b/README.md @@ -178,14 +178,18 @@ The audit policy is comprised of the following permissions: | | compute-optimizer:GetEBSVolumeRecommendations | | | | compute-optimizer:GetEC2InstanceRecommendations | | | | compute-optimizer:GetEnrollmentStatus | | -| | compute-optimizer:GetEnrollmentStatusesForOrganization | | | | compute-optimizer:GetLambdaFunctionRecommendations | | | | compute-optimizer:GetRecommendationPreferences | | | | compute-optimizer:GetRecommendationSummaries | | +| | compute-optimizer:GetEcsServiceRecommendations | | +| | compute-optimizer:GetLicenseRecommendations | | | KINESISANALYTICS | kinesisanalytics:ListApplicationSnapshots | | | | kinesisanalytics:ListApplicationVersions | | | | kinesisanalytics:DescribeApplicationVersion | | | | kinesisanalytics:DescribeApplication | | +| KINESISVIDEO | kinesisvideo:GetSignalingChannelEndpoint | * | +| | kinesisvideo:GetDataEndpoint | | +| | kinesisvideo:DescribeImageGenerationConfiguration | | | AMP | aps:ListScrapers | * | | | aps:DescribeScraper | | | | aps:ListWorkspaces | | diff --git a/main.tf b/main.tf index c82a379..589a088 100644 --- a/main.tf +++ b/main.tf @@ -223,10 +223,11 @@ data "aws_iam_policy_document" "lacework_audit_policy" { "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetRecommendationPreferences", - "compute-optimizer:GetRecommendationSummaries" + "compute-optimizer:GetRecommendationSummaries", + "compute-optimizer:GetEcsServiceRecommendations", + "compute-optimizer:GetLicenseRecommendations", ] resources = ["*"] } @@ -241,6 +242,15 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } + statement { + sid = "KINESISVIDEO" + actions = ["kinesisvideo:GetSignalingChannelEndpoint", + "kinesisvideo:GetDataEndpoint", + "kinesisvideo:DescribeImageGenerationConfiguration", + ] + resources = ["*"] + } + statement { sid = "AMP" actions = ["aps:ListScrapers", From f83cec961dd54e2c279c984e3abbf41ac709590e Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 23 Jan 2025 13:04:33 -0800 Subject: [PATCH 07/10] Revise the name for the policy to be more verbose --- main.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index 589a088..0bfbfb7 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ locals { lacework_audit_policy_name = ( length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}" ) - lacework_audit_policy_name_b = "${local.lacework_audit_policy_name}-b" + lacework_audit_policy_name_2025_1 = "${local.lacework_audit_policy_name}-2025-1" version_file = "${abspath(path.module)}/VERSION" module_name = "terraform-aws-config" module_version = fileexists(local.version_file) ? file(local.version_file) : "" @@ -140,8 +140,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { ] resources = ["*"] } - - statement { +` statement { sid = "STATES" actions = ["states:ListTagsForResource"] resources = ["*"] @@ -286,8 +285,9 @@ data "aws_iam_policy_document" "lacework_audit_policy" { # AWS iam allows only 6144 characters in a single policy # We've come to a point where there are too many actions in a single policy which is causing the policy to exceed the limit -# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_b" -data "aws_iam_policy_document" "lacework_audit_policy_b" { +# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_2025_1" +# Which representing the first new policy in 2025 +data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { count = var.use_existing_iam_role_policy ? 0 : 1 version = "2012-10-17" @@ -334,11 +334,11 @@ resource "aws_iam_policy" "lacework_audit_policy" { tags = var.tags } -resource "aws_iam_policy" "lacework_audit_policy_b" { +resource "aws_iam_policy" "lacework_audit_policy_2025_1" { count = var.use_existing_iam_role_policy ? 0 : 1 - name = local.lacework_audit_policy_name_b + name = local.lacework_audit_policy_name_2025_1 description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the second policy" - policy = data.aws_iam_policy_document.lacework_audit_policy_b[0].json + policy = data.aws_iam_policy_document.lacework_audit_policy_2025_1[0].json tags = var.tags } @@ -352,7 +352,7 @@ resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" { resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" { count = var.use_existing_iam_role_policy ? 0 : 1 role = local.iam_role_name - policy_arn = aws_iam_policy.lacework_audit_policy_b[0].arn + policy_arn = aws_iam_policy.lacework_audit_policy_2025_1[0].arn depends_on = [module.lacework_cfg_iam_role] } From a56a278a9075a92af082ead89f233c0efd1a755b Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 23 Jan 2025 13:14:43 -0800 Subject: [PATCH 08/10] Fix typo --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 0bfbfb7..5fcabc2 100644 --- a/main.tf +++ b/main.tf @@ -140,7 +140,8 @@ data "aws_iam_policy_document" "lacework_audit_policy" { ] resources = ["*"] } -` statement { + + statement { sid = "STATES" actions = ["states:ListTagsForResource"] resources = ["*"] @@ -241,7 +242,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { resources = ["*"] } - statement { + statement { sid = "KINESISVIDEO" actions = ["kinesisvideo:GetSignalingChannelEndpoint", "kinesisvideo:GetDataEndpoint", From 66996df2ec05f25b13e74005629073cb1bd0505a Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 23 Jan 2025 13:21:00 -0800 Subject: [PATCH 09/10] Updated the doc --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c668a85..887950e 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud | Name | Type | |------|------| | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.lacework_audit_policy_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -46,7 +46,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lacework_audit_policy_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source | ## Inputs From 251372aeb87641d03fbc333d2fe3c5a41547fcad Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 23 Jan 2025 13:22:47 -0800 Subject: [PATCH 10/10] Move new permissions all into the new policy Updated readme --- README.md | 2 +- main.tf | 82 +++++++++++++++++++++++++++---------------------------- 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 887950e..d7d5a98 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud ## Lacework Audit Policy The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. -As of 1/22/2025, we have exceeded the limit of 6144 characters for a single policy, thus every service starting with codeartifact are in a new policy. +As of 1/22/2025, we have exceeded the limit of 6144 characters for a single policy, thus every service starting with KINESISVIDEO are in a new policy: lwaudit-policy-${random_id.uniq.hex}-2025-1 The audit policy is comprised of the following permissions: | sid | actions | resources | diff --git a/main.tf b/main.tf index 5fcabc2..c45f05f 100644 --- a/main.tf +++ b/main.tf @@ -241,47 +241,6 @@ data "aws_iam_policy_document" "lacework_audit_policy" { ] resources = ["*"] } - - statement { - sid = "KINESISVIDEO" - actions = ["kinesisvideo:GetSignalingChannelEndpoint", - "kinesisvideo:GetDataEndpoint", - "kinesisvideo:DescribeImageGenerationConfiguration", - ] - resources = ["*"] - } - - statement { - sid = "AMP" - actions = ["aps:ListScrapers", - "aps:DescribeScraper", - "aps:ListWorkspaces", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeWorkspace", - "aps:ListRuleGroupsNamespaces", - "aps:DescribeRuleGroupsNamespace", - "aps:ListTagsForResource", - ] - resources = ["*"] - } - - statement { - sid = "APPSTREAM" - actions = ["appstream:Describe*", - "appstream:List*", - ] - resources = ["*"] - } - - statement { - sid = "PERSONALIZE" - actions = ["personalize:Describe*", - "personalize:List*", - "personalize:GetSolutionMetrics", - ] - resources = ["*"] - } } # AWS iam allows only 6144 characters in a single policy @@ -325,6 +284,47 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { ] resources = ["*"] } + + statement { + sid = "KINESISVIDEO" + actions = ["kinesisvideo:GetSignalingChannelEndpoint", + "kinesisvideo:GetDataEndpoint", + "kinesisvideo:DescribeImageGenerationConfiguration", + ] + resources = ["*"] + } + + statement { + sid = "AMP" + actions = ["aps:ListScrapers", + "aps:DescribeScraper", + "aps:ListWorkspaces", + "aps:DescribeAlertManagerDefinition", + "aps:DescribeLoggingConfiguration", + "aps:DescribeWorkspace", + "aps:ListRuleGroupsNamespaces", + "aps:DescribeRuleGroupsNamespace", + "aps:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "APPSTREAM" + actions = ["appstream:Describe*", + "appstream:List*", + ] + resources = ["*"] + } + + statement { + sid = "PERSONALIZE" + actions = ["personalize:Describe*", + "personalize:List*", + "personalize:GetSolutionMetrics", + ] + resources = ["*"] + } } resource "aws_iam_policy" "lacework_audit_policy" {