From e2154095631eb8c0aa0b27bd4056a0d9fcb59069 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 30 Jan 2025 16:56:44 -0800 Subject: [PATCH 1/4] Add permissions for services: memoryDB qbusiness resourcegroups servicecatalogappregistry oam clouddirectory optimizationhub budgets billingconsole --- README.md | 98 +++++++++++++++++++++++++++- main.tf | 188 ++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 264 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index d7d5a98..9ded790 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,7 @@ The audit policy is comprised of the following permissions: | | ses:ListRecommendations | | | | ses:ListSuppressedDestinations | | | | ses:GetSuppressedDestination | | +| | ses:ListTagsForResource | | | BACKUP | backup:ListBackupJobs | * | | | backup:DescribeBackupJob | | | | backup:ListBackupPlanTemplates | | @@ -168,6 +169,7 @@ The audit policy is comprised of the following permissions: | | backup:ListRecoveryPointsByResource | | | | backup:ListReportPlans | | | | backup:ListRestoreJobs | | +| | backup:ListTags | | | COGNITO-IDP | cognito-idp:GetSigningCertificate | | | | cognito-idp:GetCSVHeader | | | | cognito-idp:GetUserPoolMfaConfig | | @@ -198,6 +200,7 @@ The audit policy is comprised of the following permissions: | | aps:DescribeWorkspace | | | | aps:ListRuleGroupsNamespaces | | | | aps:DescribeRuleGroupsNamespace | | +| | aps:ListTagsForResource | | | APPSTREAM | appstream:Describe* | | | | appstream:List* | | | PERSONALIZE | personalize:Describe* | | @@ -215,6 +218,7 @@ The audit policy is comprised of the following permissions: | | codeartifact:ListPackageVersionDependencies | | | | codeartifact:ListPackageVersionAssets | | | | codeartifact:GetPackageVersionAsset | | +| | codeartifact:ListTagsForResource | | | FIS | fis:ListActions | * | | | fis:GetAction | | | | fis:ListExperimentTemplates | | @@ -222,4 +226,96 @@ The audit policy is comprised of the following permissions: | | fis:ListTargetAccountConfigurations | | | | fis:ListExperiments | | | | fis:GetExperiment | | -| | fis:ListExperimentResolvedTargets | | \ No newline at end of file +| | fis:ListExperimentResolvedTargets | | +| MEMORYDB | memorydb:DescribeMultiRegionClusters | * | +| | memorydb:DescribeSnapshots | | +| | memorydb:DescribeSubnetGroups | | +| | memorydb:DescribeParameterGroups | | +| | memorydb:DescribeParameters | | +| | memorydb:DescribeUsers | | +| | memorydb:DescribeACLs | | +| | memorydb:DescribeServiceUpdates | | +| | memorydb:DescribeEngineVersions | | +| | memorydb:DescribeReservedNodes | | +| | memorydb:DescribeReservedNodesOfferings | | +| | memorydb:ListTags | | +| | memorydb:ListAllowedNodeTypeUpdates | | +| | memorydb:ListAllowedMultiRegionClusterUpdates | | +| QBUSINESS | qbusiness:GetApplication | * | +| | qbusiness:GetChatControlsConfiguration | | +| | qbusiness:GetPolicy | | +| | qbusiness:ListAttachments | | +| | qbusiness:ListConversations | | +| | qbusiness:ListMessages | | +| | qbusiness:ListDataAccessors | | +| | qbusiness:GetDataAccessor | | +| | qbusiness:GetIndex | | +| | qbusiness:GetDataSource | | +| | qbusiness:GetPlugin | | +| | qbusiness:ListPluginActions | | +| | qbusiness:GetRetriever | | +| | qbusiness:GetWebExperience | | +| | qbusiness:ListPluginTypeMetadata | | +| | qbusiness:ListPluginTypeActions | | +| RESOURCEGROUPS | resource-groups:ListGroups | * | +| | resource-groups:GetGroupQuery | | +| | resource-groups:GetGroupConfiguration | | +| SERVICECATALOGAPPREGISTRY | servicecatalog:GetApplication | * | +| | servicecatalog:ListApplications | | +| | servicecatalog:GetAssociatedResource | | +| | servicecatalog:ListAssociatedResources | | +| | servicecatalog:ListAssociatedAttributeGroups | | +| | servicecatalog:GetAttributeGroup | | +| | servicecatalog:ListAttributeGroups | | +| | servicecatalog:ListTagsForResource | | +| | servicecatalog:ListAttributeGroupsForApplication | | +| | servicecatalog:GetConfiguration | | +| OAM | oam:GetLink | * | +| | oam:GetSink | | +| | oam:GetSinkPolicy | | +| | oam:ListAttachedLinks | | +| | oam:ListLinks | | +| | oam:ListSinks | | +| CLOUDDIRECTORY | clouddirectory:GetAppliedSchemaVersion | * | +| | clouddirectory:GetDirectory | | +| | clouddirectory:GetFacet | | +| | clouddirectory:GetLinkAttributes | | +| | clouddirectory:GetObjectAttributes | | +| | clouddirectory:GetObjectInformation | | +| | clouddirectory:GetSchemaAsJson | | +| | clouddirectory:GetTypedLinkFacetInformation | | +| | clouddirectory:ListAppliedSchemaArns | | +| | clouddirectory:ListAttachedIndices | | +| | clouddirectory:ListDevelopmentSchemaArns | | +| | clouddirectory:ListFacetAttributes | | +| | clouddirectory:ListFacetNames | | +| | clouddirectory:ListIncomingTypedLinks | | +| | clouddirectory:ListIndex | | +| | clouddirectory:ListManagedSchemaArns | | +| | clouddirectory:ListObjectAttributes | | +| | clouddirectory:ListObjectChildren | | +| | clouddirectory:ListObjectParentPaths | | +| | clouddirectory:ListObjectParents | | +| | clouddirectory:ListObjectPolicies | | +| | clouddirectory:ListOutgoingTypedLinks | | +| | clouddirectory:ListPolicyAttachments | | +| | clouddirectory:ListPublishedSchemaArns | | +| | clouddirectory:ListTagsForResource | | +| | clouddirectory:ListTypedLinkFacetAttributes | | +| | clouddirectory:ListTypedLinkFacetNames | | +| COSTOPTIMIZATIONHUB | cost-optimization-hub:GetPreferences | * | +| | cost-optimization-hub:GetRecommendation | | +| | cost-optimization-hub:ListEnrollmentStatuses | | +| | cost-optimization-hub:ListRecommendationSummaries | | +| | cost-optimization-hub:ListRecommendations | | +| BUDGETS | budgets:DescribeBudgetAction | * | +| | budgets:DescribeBudgetActionHistories | | +| | budgets:DescribeBudgetActionsForAccount | | +| | budgets:DescribeBudgetActionsForBudget | | +| | budgets:ListTagsForResource | | +| | budgets:ViewBudget | | +| BILLINGCONSOLE | aws-portal:GetConsoleActionSetEnforced | * | +| | aws-portal :ViewAccount | | +| | aws-portal :ViewBilling | | +| | aws-portal :ViewPaymentMethods | | +| | aws-portal :ViewUsage | | \ No newline at end of file diff --git a/main.tf b/main.tf index c45f05f..6eb659e 100644 --- a/main.tf +++ b/main.tf @@ -251,6 +251,47 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { count = var.use_existing_iam_role_policy ? 0 : 1 version = "2012-10-17" + statement { + sid = "KINESISVIDEO" + actions = ["kinesisvideo:GetSignalingChannelEndpoint", + "kinesisvideo:GetDataEndpoint", + "kinesisvideo:DescribeImageGenerationConfiguration", + ] + resources = ["*"] + } + + statement { + sid = "AMP" + actions = ["aps:ListScrapers", + "aps:DescribeScraper", + "aps:ListWorkspaces", + "aps:DescribeAlertManagerDefinition", + "aps:DescribeLoggingConfiguration", + "aps:DescribeWorkspace", + "aps:ListRuleGroupsNamespaces", + "aps:DescribeRuleGroupsNamespace", + "aps:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "APPSTREAM" + actions = ["appstream:Describe*", + "appstream:List*", + ] + resources = ["*"] + } + + statement { + sid = "PERSONALIZE" + actions = ["personalize:Describe*", + "personalize:List*", + "personalize:GetSolutionMetrics", + ] + resources = ["*"] + } + statement { sid = "CODEARTIFACT" actions = ["codeartifact:ListDomains", @@ -286,42 +327,147 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { } statement { - sid = "KINESISVIDEO" - actions = ["kinesisvideo:GetSignalingChannelEndpoint", - "kinesisvideo:GetDataEndpoint", - "kinesisvideo:DescribeImageGenerationConfiguration", + sid = "MEMORYDB" + actions = ["memorydb:DescribeMultiRegionClusters", + "memorydb:DescribeSnapshots", + "memorydb:DescribeSubnetGroups", + "memorydb:DescribeParameterGroups", + "memorydb:DescribeParameters", + "memorydb:DescribeUsers", + "memorydb:DescribeACLs", + "memorydb:DescribeServiceUpdates", + "memorydb:DescribeEngineVersions", + "memorydb:DescribeReservedNodes", + "memorydb:DescribeReservedNodesOfferings", + "memorydb:ListTags", + "memorydb:ListAllowedNodeTypeUpdates", + "memorydb:ListAllowedMultiRegionClusterUpdates", ] resources = ["*"] } statement { - sid = "AMP" - actions = ["aps:ListScrapers", - "aps:DescribeScraper", - "aps:ListWorkspaces", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeWorkspace", - "aps:ListRuleGroupsNamespaces", - "aps:DescribeRuleGroupsNamespace", - "aps:ListTagsForResource", + sid = "QBUSINESS" + actions = ["qbusiness:GetApplication", + "qbusiness:GetChatControlsConfiguration", + "qbusiness:GetPolicy", + "qbusiness:ListAttachments", + "qbusiness:ListConversations", + "qbusiness:ListMessages", + "qbusiness:ListDataAccessors", + "qbusiness:GetDataAccessor", + "qbusiness:GetIndex", + "qbusiness:GetDataSource", + "qbusiness:GetPlugin", + "qbusiness:ListPluginActions", + "qbusiness:GetRetriever", + "qbusiness:GetWebExperience", + "qbusiness:ListPluginTypeMetadata", + "qbusiness:ListPluginTypeActions", ] resources = ["*"] } statement { - sid = "APPSTREAM" - actions = ["appstream:Describe*", - "appstream:List*", + sid = "RESOURCEGROUPS" + actions = ["resource-groups:ListGroups", + "resource-groups:GetGroupQuery", + "resource-groups:GetGroupConfiguration", ] resources = ["*"] } statement { - sid = "PERSONALIZE" - actions = ["personalize:Describe*", - "personalize:List*", - "personalize:GetSolutionMetrics", + sid = "SERVICECATALOGAPPREGISTRY" + actions = ["servicecatalog:GetApplication", + "servicecatalog:ListApplications", + "servicecatalog:GetAssociatedResource", + "servicecatalog:ListAssociatedResources", + "servicecatalog:ListAssociatedAttributeGroups", + "servicecatalog:GetAttributeGroup", + "servicecatalog:ListAttributeGroups", + "servicecatalog:ListTagsForResource", + "servicecatalog:ListAttributeGroupsForApplication", + "servicecatalog:GetConfiguration" + ] + resources = ["*"] + } + + statement { + sid = "OAM" + actions = ["oam:GetLink", + "oam:GetSink", + "oam:GetSinkPolicy", + "oam:ListAttachedLinks", + "oam:ListLinks", + "oam:ListSinks", + ] + resources = ["*"] + } + + statement { + sid = "CLOUDDIRECTORY" + actions = ["clouddirectory:GetAppliedSchemaVersion", + "clouddirectory:GetDirectory", + "clouddirectory:GetFacet", + "clouddirectory:GetLinkAttributes", + "clouddirectory:GetObjectAttributes", + "clouddirectory:GetObjectInformation", + "clouddirectory:GetSchemaAsJson", + "clouddirectory:GetTypedLinkFacetInformation", + "clouddirectory:ListAppliedSchemaArns", + "clouddirectory:ListAttachedIndices", + "clouddirectory:ListDevelopmentSchemaArns", + "clouddirectory:ListFacetAttributes", + "clouddirectory:ListFacetNames", + "clouddirectory:ListIncomingTypedLinks", + "clouddirectory:ListIndex", + "clouddirectory:ListManagedSchemaArns", + "clouddirectory:ListObjectAttributes", + "clouddirectory:ListObjectChildren", + "clouddirectory:ListObjectParentPaths", + "clouddirectory:ListObjectParents", + "clouddirectory:ListObjectPolicies", + "clouddirectory:ListOutgoingTypedLinks", + "clouddirectory:ListPolicyAttachments", + "clouddirectory:ListPublishedSchemaArns", + "clouddirectory:ListTagsForResource", + "clouddirectory:ListTypedLinkFacetAttributes", + "clouddirectory:ListTypedLinkFacetNames", + ] + resources = ["*"] + } + + statement { + sid = "COSTOPTIMIZATIONHUB" + actions = ["cost-optimization-hub:GetPreferences", + "cost-optimization-hub:GetRecommendation", + "cost-optimization-hub:ListEnrollmentStatuses", + "cost-optimization-hub:ListRecommendationSummaries", + "cost-optimization-hub:ListRecommendations", + ] + resources = ["*"] + } + + statement { + sid = "BUDGETS" + actions = ["budgets:DescribeBudgetAction", + "budgets:DescribeBudgetActionHistories", + "budgets:DescribeBudgetActionsForAccount", + "budgets:DescribeBudgetActionsForBudget", + "budgets:ListTagsForResource", + "budgets:ViewBudget", + ] + resources = ["*"] + } + + statement { + sid = "BILLINGCONSOLE" + actions = ["aws-portal:GetConsoleActionSetEnforced", + "aws-portal:ViewAccount", + "aws-portal:ViewBilling", + "aws-portal:ViewPaymentMethods", + "aws-portal:ViewUsage", ] resources = ["*"] } From ff081cfb7746fbedd3a8d10cd2a453e6fe4f8158 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 30 Jan 2025 17:21:15 -0800 Subject: [PATCH 2/4] Update the version info --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9ded790..d7ef991 100644 --- a/README.md +++ b/README.md @@ -77,9 +77,11 @@ Terraform module for configuring an integration with Lacework and AWS for cloud ## Lacework Audit Policy +Release for 0.19.0(Feb 2025): +Terraform changes to add a second policy and its attachment under the same role.(This changes is to bypass the 6144 chars limit for one policy) +Add permissions for kinesisvideo, amp, appstream, personalize, codeartifact, fis; Add missing permission for services ses, backup, +Add permissions for future services to come: memoryDB, resource groups, qbusiness, servicecatalogappregistry, oam, clouddirectory, optimizationhub, budgets,billingconsole -The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. -As of 1/22/2025, we have exceeded the limit of 6144 characters for a single policy, thus every service starting with KINESISVIDEO are in a new policy: lwaudit-policy-${random_id.uniq.hex}-2025-1 The audit policy is comprised of the following permissions: | sid | actions | resources | From 242677967f31ce9200ba2db81b2990d3d5b01b33 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 30 Jan 2025 17:36:15 -0800 Subject: [PATCH 3/4] Add permissions for qconnect and qapps --- README.md | 38 ++++++++++++++++++++++++++++++++++++-- main.tf | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d7ef991..8af194a 100644 --- a/README.md +++ b/README.md @@ -79,8 +79,8 @@ Terraform module for configuring an integration with Lacework and AWS for cloud ## Lacework Audit Policy Release for 0.19.0(Feb 2025): Terraform changes to add a second policy and its attachment under the same role.(This changes is to bypass the 6144 chars limit for one policy) -Add permissions for kinesisvideo, amp, appstream, personalize, codeartifact, fis; Add missing permission for services ses, backup, -Add permissions for future services to come: memoryDB, resource groups, qbusiness, servicecatalogappregistry, oam, clouddirectory, optimizationhub, budgets,billingconsole +Add permissions for kinesisvideo, amp, appstream, personalize, codeartifact, fis; Add missing permission for services ses, backup +Add permissions for future services to come: memoryDB, resource groups, qbusiness, qapps, qconnect, servicecatalogappregistry, oam, clouddirectory, optimizationhub, budgets,billingconsole The audit policy is comprised of the following permissions: @@ -259,6 +259,40 @@ The audit policy is comprised of the following permissions: | | qbusiness:GetWebExperience | | | | qbusiness:ListPluginTypeMetadata | | | | qbusiness:ListPluginTypeActions | | +| QAPPS | qapps:DescribeQAppPermissions | * | +| | qapps:GetLibraryItem | | +| | qapps:GetQApp | | +| | qapps:GetQAppSession | | +| | qapps:GetQAppSessionMetadata | | +| | qapps:ListCategories | | +| | qapps:ListLibraryItems | | +| | qapps:ListQAppSessionData | | +| | qapps:ListQApps | | +| | qapps:ListTagsForResource | | +| QCONNECT | wisdom:GetAIAgent | * | +| | wisdom:GetAIGuardrail | | +| | wisdom:GetAIPrompt | | +| | wisdom:GetContent | | +| | wisdom:GetImportJob | | +| | wisdom:GetKnowledgeBase | | +| | wisdom:GetMessageTemplate | | +| | wisdom:GetQuickResponse | | +| | wisdom:ListAIAgentVersions | | +| | wisdom:ListAIAgents | | +| | wisdom:ListAIGuardrailVersions | | +| | wisdom:ListAIGuardrails | | +| | wisdom:ListAIPromptVersions | | +| | wisdom:ListAIPrompts | | +| | wisdom:ListAssistantAssociations | | +| | wisdom:ListAssistants | | +| | wisdom:ListContentAssociations | | +| | wisdom:ListContents | | +| | wisdom:ListImportJobs | | +| | wisdom:ListKnowledgeBases | | +| | wisdom:ListMessageTemplateVersions | | +| | wisdom:ListMessageTemplates | | +| | wisdom:ListQuickResponses | | +| | wisdom:ListTagsForResource | | | RESOURCEGROUPS | resource-groups:ListGroups | * | | | resource-groups:GetGroupQuery | | | | resource-groups:GetGroupConfiguration | | diff --git a/main.tf b/main.tf index 6eb659e..5ff3038 100644 --- a/main.tf +++ b/main.tf @@ -368,6 +368,52 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { resources = ["*"] } + statement { + sid = "QAPPS" + actions = ["qapps:DescribeQAppPermissions", + "qapps:GetLibraryItem", + "qapps:GetQApp", + "qapps:GetQAppSession", + "qapps:GetQAppSessionMetadata", + "qapps:ListCategories", + "qapps:ListLibraryItems", + "qapps:ListQAppSessionData", + "qapps:ListQApps", + "qapps:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "QCONNECT" + actions = ["wisdom:GetAIAgent", + "wisdom:GetAIGuardrail", + "wisdom:GetAIPrompt", + "wisdom:GetContent", + "wisdom:GetImportJob", + "wisdom:GetKnowledgeBase", + "wisdom:GetMessageTemplate", + "wisdom:GetQuickResponse", + "wisdom:ListAIAgentVersions", + "wisdom:ListAIAgents", + "wisdom:ListAIGuardrailVersions", + "wisdom:ListAIGuardrails", + "wisdom:ListAIPromptVersions", + "wisdom:ListAIPrompts", + "wisdom:ListAssistantAssociations", + "wisdom:ListAssistants", + "wisdom:ListContentAssociations", + "wisdom:ListContents", + "wisdom:ListImportJobs", + "wisdom:ListKnowledgeBases", + "wisdom:ListMessageTemplateVersions", + "wisdom:ListMessageTemplates", + "wisdom:ListQuickResponses", + "wisdom:ListTagsForResource" + ] + resources = ["*"] + } + statement { sid = "RESOURCEGROUPS" actions = ["resource-groups:ListGroups", From 69fff434b10c2072081b7d82bfbde37ace8f3437 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 30 Jan 2025 17:44:24 -0800 Subject: [PATCH 4/4] Move two service into the old policy --- main.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index 5ff3038..3e7d04d 100644 --- a/main.tf +++ b/main.tf @@ -241,15 +241,6 @@ data "aws_iam_policy_document" "lacework_audit_policy" { ] resources = ["*"] } -} - -# AWS iam allows only 6144 characters in a single policy -# We've come to a point where there are too many actions in a single policy which is causing the policy to exceed the limit -# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_2025_1" -# Which representing the first new policy in 2025 -data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { - count = var.use_existing_iam_role_policy ? 0 : 1 - version = "2012-10-17" statement { sid = "KINESISVIDEO" @@ -274,6 +265,15 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { ] resources = ["*"] } +} + +# AWS iam allows only 6144 characters in a single policy +# We've come to a point where there are too many actions in a single policy which is causing the policy to exceed the limit +# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_2025_1" +# Which representing the first new policy in 2025 +data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { + count = var.use_existing_iam_role_policy ? 0 : 1 + version = "2012-10-17" statement { sid = "APPSTREAM"