diff --git a/README.md b/README.md index 8af194a..3b7d0e3 100644 --- a/README.md +++ b/README.md @@ -39,14 +39,17 @@ Terraform module for configuring an integration with Lacework and AWS for cloud |------|------| | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_c](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [lacework_integration_aws_cfg.default](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_aws_cfg) | resource | | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source | ## Inputs @@ -351,7 +354,75 @@ The audit policy is comprised of the following permissions: | | budgets:ListTagsForResource | | | | budgets:ViewBudget | | | BILLINGCONSOLE | aws-portal:GetConsoleActionSetEnforced | * | -| | aws-portal :ViewAccount | | -| | aws-portal :ViewBilling | | -| | aws-portal :ViewPaymentMethods | | -| | aws-portal :ViewUsage | | \ No newline at end of file +| | aws-portal:ViewAccount | | +| | aws-portal:ViewBilling | | +| | aws-portal:ViewPaymentMethods | | +| | aws-portal:ViewUsage | | +| ACM-PCA | acm-pca:GetCertificateAuthorityCertificate | * | +| | acm-pca:GetCertificateAuthorityCertificate | * | +| | acm-pca:GetCertificateAuthorityCsr | | +| APPCONFIG | appconfig:GetConfigurationProfile | * | +| | appconfig:GetDeploymentStrategy | | +| | appconfig:GetExtension | | +| | appconfig:GetExtensionAssociation | | +| | appconfig:GetHostedConfigurationVersion | | +| | appconfig:ListApplications | | +| | appconfig:ListConfigurationProfiles | | +| | appconfig:ListDeployments | | +| | appconfig:ListDeploymentStrategies | | +| | appconfig:ListEnvironments | | +| | appconfig:ListExtensionAssociations | | +| | appconfig:ListExtensions | | +| | appconfig:ListHostedConfigurationVersions | | +| | appconfig:ListTagsForResource | | +| APPFLOW | appflow:DescribeConnectorEntity | * | +| | appflow:DescribeConnectorProfiles | | +| | appflow:DescribeConnectors | | +| | appflow:DescribeFlow | | +| | appflow:DescribeFlowExecutionRecords | | +| | appflow:ListConnectorEntities | | +| | appflow:ListConnectors | | +| DYNAMODB | dynamodb:DescribeContributorInsights | * | +| | dynamodb:GetResourcePolicy | | +| EBS | ebs:GetSnapshotBlock | * | +| | ebs:ListSnapshotBlocks | | +| FREETIER | freetier:GetFreeTierUsage | * | +| LAKEFORMATION | lakeformation:DescribeLakeFormationIdentityCenterConfiguration | * | +| | lakeformation:GetDataLakePrincipal | | +| | lakeformation:GetDataLakeSettings | | +| | lakeformation:GetEffectivePermissionsForPath | | +| | lakeformation:GetTableObjects | | +| | lakeformation:ListDataCellsFilter | | +| | lakeformation:ListPermissions | | +| | lakeformation:ListResources | | +| | lakeformation:ListTableStorageOptimizers | | +| | lakeformation:ListTransactions | | +| LAMBDA | lambda:GetFunction | * | +| | lambda:GetFunctionCodeSigningConfig | | +| SCHEDULER | scheduler:GetSchedule | * | +| | scheduler:GetScheduleGroup | | +| | scheduler:ListScheduleGroups | | +| | scheduler:ListSchedules | | +| | scheduler:ListTagsForResource | | +| SCHEMAS | schemas:GetCodeBindingSource | * | +| DATASYNC | datasync:DescribeTaskExecution | * | +| | datasync:DescribeLocationEfs | | +| | datasync:ListAgents | | +| | datasync:ListLocations | | +| | datasync:ListTaskExecutions | | +| | datasync:ListStorageSystems | | +| | datasync:DescribeLocationSmb | | +| | datasync:DescribeAgent | | +| | datasync:DescribeLocationFsxWindows | | +| | datasync:DescribeTask | | +| | datasync:DescribeLocationS3 | | +| | datasync:DescribeDiscoveryJob | | +| | datasync:DescribeLocationObjectStorage | | +| | datasync:DescribeStorageSystem | | +| | datasync:DescribeLocationAzureBlob | | +| | datasync:ListTagsForResource | | +| | datasync:ListTasks | | +| | datasync:DescribeLocationHdfs | | +| | datasync:DescribeLocationFsxLustre | | +| | datasync:ListDiscoveryJobs | | +| | datasync:DescribeLocationNfs | | diff --git a/main.tf b/main.tf index d1971bc..5d38c81 100644 --- a/main.tf +++ b/main.tf @@ -6,6 +6,7 @@ locals { length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}" ) lacework_audit_policy_name_2025_1 = "${local.lacework_audit_policy_name}-2025-1" + lacework_audit_policy_name_2025_2 = "${local.lacework_audit_policy_name}-2025-2" version_file = "${abspath(path.module)}/VERSION" module_name = "terraform-aws-config" module_version = fileexists(local.version_file) ? file(local.version_file) : "" @@ -512,6 +513,145 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { } } + +# New permission incoming for 20.0.0 release: +# https://lacework.atlassian.net/browse/RAIN-94565 +data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { + count = var.use_existing_iam_role_policy ? 0 : 1 + version = "2012-10-17" + + statement { + sid = "FREETIER" + actions = ["freetier:GetFreeTierUsage"] + resources = ["*"] + } + + statement { + sid = "ACMPCA" + actions = ["acm-pca:GetCertificateAuthorityCertificate", + "acm-pca:GetCertificateAuthorityCsr", + ] + resources = ["*"] + } + + statement { + sid = "APPCONFIG" + actions = ["appconfig:GetConfigurationProfile", + "appconfig:GetDeploymentStrategy", + "appconfig:GetExtension", + "appconfig:GetExtensionAssociation", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListApplications", + "appconfig:ListConfigurationProfiles", + "appconfig:ListDeployments", + "appconfig:ListDeploymentStrategies", + "appconfig:ListEnvironments", + "appconfig:ListExtensionAssociations", + "appconfig:ListExtensions", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "APPFLOW" + actions = ["appflow:DescribeConnectorEntity", + "appflow:DescribeConnectorProfiles", + "appflow:DescribeConnectors", + "appflow:DescribeFlow", + "appflow:DescribeFlowExecutionRecords", + "appflow:ListConnectorEntities", + "appflow:ListConnectors", + ] + resources = ["*"] + } + + statement { + sid = "DYNAMODB" + actions = ["dynamodb:GetResourcePolicy", + "dynamodb:DescribeContributorInsights", + ] + resources = ["*"] + } + + statement { + sid = "EBS" + actions = ["ebs:GetSnapshotBlock", + "ebs:ListSnapshotBlocks", + ] + resources = ["*"] + } + + statement { + sid = "LAKEFORMATION" + actions = ["lakeformation:DescribeLakeFormationIdentityCenterConfiguration", + "lakeformation:GetDataLakePrincipal", + "lakeformation:GetDataLakeSettings", + "lakeformation:GetEffectivePermissionsForPath", + "lakeformation:GetTableObjects", + "lakeformation:ListDataCellsFilter", + "lakeformation:ListPermissions", + "lakeformation:ListResources", + "lakeformation:ListTableStorageOptimizers", + "lakeformation:ListTransactions", + ] + resources = ["*"] + } + + statement { + sid = "LAMBDA" + actions = ["lambda:GetFunction", + "lambda:GetFunctionCodeSigningConfig", + ] + resources = ["*"] + } + + statement { + sid = "SCHEDULER" + actions = ["scheduler:GetSchedule", + "scheduler:GetScheduleGroup", + "scheduler:ListScheduleGroups", + "scheduler:ListSchedules", + "scheduler:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "SCHEMAS" + actions = ["schemas:GetCodeBindingSource"] + resources = ["*"] + } + + statement { + sid = "DATASYNC" + actions = ["datasync:DescribeTaskExecution", + "datasync:DescribeLocationEfs", + "datasync:ListAgents", + "datasync:ListLocations", + "datasync:ListTaskExecutions", + "datasync:ListStorageSystems", + "datasync:DescribeLocationSmb", + "datasync:DescribeAgent", + "datasync:DescribeLocationFsxWindows", + "datasync:DescribeTask", + "datasync:DescribeLocationS3", + "datasync:DescribeDiscoveryJob", + "datasync:DescribeLocationObjectStorage", + "datasync:DescribeStorageSystem", + "datasync:DescribeLocationAzureBlob", + "datasync:ListTagsForResource", + "datasync:ListTasks", + "datasync:DescribeLocationHdfs", + "datasync:DescribeLocationFsxLustre", + "datasync:ListDiscoveryJobs", + "datasync:DescribeLocationNfs" + ] + resources = ["*"] + } +} + resource "aws_iam_policy" "lacework_audit_policy" { count = var.use_existing_iam_role_policy ? 0 : 1 name = local.lacework_audit_policy_name @@ -528,6 +668,14 @@ resource "aws_iam_policy" "lacework_audit_policy_2025_1" { tags = var.tags } +resource "aws_iam_policy" "lacework_audit_policy_2025_2" { + count = var.use_existing_iam_role_policy ? 0 : 1 + name = local.lacework_audit_policy_name_2025_2 + description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the third policy" + policy = data.aws_iam_policy_document.lacework_audit_policy_2025_2[0].json + tags = var.tags +} + resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" { count = var.use_existing_iam_role_policy ? 0 : 1 role = local.iam_role_name @@ -542,6 +690,13 @@ resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" { depends_on = [module.lacework_cfg_iam_role] } +resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_c" { + count = var.use_existing_iam_role_policy ? 0 : 1 + role = local.iam_role_name + policy_arn = aws_iam_policy.lacework_audit_policy_2025_2[0].arn + depends_on = [module.lacework_cfg_iam_role] +} + # wait for X seconds for things to settle down in the AWS side # before trying to create the Lacework external integration resource "time_sleep" "wait_time" {