From be35d45461dca105e2fed86b9c1913c3a5e9c0dd Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 13:16:25 -0700 Subject: [PATCH 1/6] Added 10 services: Free Tier ACM-PCA Lambda(partial) Schemas(partial) Scheduler Lakeformation DynamoDB(Partial) describe_contributor_insights get_resource_policy Appconfig AppFlow EBS --- README.md | 63 +++++++++++++++++++++++-- main.tf | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 195 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8af194a..2b72a81 100644 --- a/README.md +++ b/README.md @@ -351,7 +351,62 @@ The audit policy is comprised of the following permissions: | | budgets:ListTagsForResource | | | | budgets:ViewBudget | | | BILLINGCONSOLE | aws-portal:GetConsoleActionSetEnforced | * | -| | aws-portal :ViewAccount | | -| | aws-portal :ViewBilling | | -| | aws-portal :ViewPaymentMethods | | -| | aws-portal :ViewUsage | | \ No newline at end of file +| | aws-portal:ViewAccount | | +| | aws-portal:ViewBilling | | +| | aws-portal:ViewPaymentMethods | | +| | aws-portal:ViewUsage | | +| ACM-PCA | acm-pca:GetCertificateAuthorityCertificate | * | +| | acm-pca:GetCertificateAuthorityCertificate | * | +| | acm-pca:GetCertificateAuthorityCsr | | +| APPCONFIG | appconfig:GetConfigurationProfile | * | +| | appconfig:GetDeploymentStrategy | | +| | appconfig:GetExtension | | +| | appconfig:GetExtensionAssociation | | +| | appconfig:GetHostedConfigurationVersion | | +| | appconfig:ListApplications | | +| | appconfig:ListConfigurationProfiles | | +| | appconfig:ListDeployments | | +| | appconfig:ListDeploymentStrategies | | +| | appconfig:ListEnvironments | | +| | appconfig:ListExtensionAssociations | | +| | appconfig:ListExtensions | | +| | appconfig:ListHostedConfigurationVersions | | +| | appconfig:ListTagsForResource | | +| APPFLOW | appflow:DescribeConnector | * | +| | appflow:DescribeConnectorEntity | | +| | appflow:DescribeConnectorFields | | +| | appflow:DescribeConnectorProfiles | | +| | appflow:DescribeConnectors | | +| | appflow:DescribeFlow | | +| | appflow:DescribeFlowExecution | | +| | appflow:DescribeFlowExecutionRecords | | +| | appflow:DescribeFlows | | +| | appflow:ListConnectorEntities | | +| | appflow:ListConnectorFields | | +| | appflow:ListConnectors | | +| | appflow:ListFlows | | +| | appflow:ListTagsForResource | | +| DYNAMODB | dynamodb:DescribeContributorInsights | * | +| | dynamodb:GetResourcePolicy | | +| EBS | ebs:GetSnapshotBlock | * | +| | ebs:ListChangedBlocks | | +| | ebs:ListSnapshotBlocks | | +| FREETIER | freetier:GetFreeTierUsage | * | +| LAKEFORMATION | lakeformation:DescribeLakeFormationIdentityCenterConfiguration | * | +| | lakeformation:GetDataLakePrincipal | | +| | lakeformation:GetDataLakeSettings | | +| | lakeformation:GetEffectivePermissionsForPath | | +| | lakeformation:GetTableObjects | | +| | lakeformation:ListDataCellsFilter | | +| | lakeformation:ListPermissions | | +| | lakeformation:ListResources | | +| | lakeformation:ListTableStorageOptimizers | | +| | lakeformation:ListTransactions | | +| LAMBDA | lambda:GetFunction | * | +| | lambda:GetFunctionCodeSigningConfig | | +| SCHEDULER | scheduler:GetSchedule | * | +| | scheduler:GetScheduleGroup | | +| | scheduler:ListScheduleGroups | | +| | scheduler:ListSchedules | | +| | scheduler:ListTagsForResource | | +| SCHEMAS | schemas:GetCodeBindingSource | * | diff --git a/main.tf b/main.tf index d1971bc..d544007 100644 --- a/main.tf +++ b/main.tf @@ -6,6 +6,7 @@ locals { length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}" ) lacework_audit_policy_name_2025_1 = "${local.lacework_audit_policy_name}-2025-1" + lacework_audit_policy_name_2025_2 = "${local.lacework_audit_policy_name}-2025-2" version_file = "${abspath(path.module)}/VERSION" module_name = "terraform-aws-config" module_version = fileexists(local.version_file) ? file(local.version_file) : "" @@ -512,6 +513,126 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" { } } + +# New permission incoming for 20.0.0 release: +# https://lacework.atlassian.net/browse/RAIN-94565 +data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { + count = var.use_existing_iam_role_policy ? 0 : 1 + version = "2012-10-17" + + statement { + sid = "FREETIER" + actions = ["freetier:GetFreeTierUsage"] + resources = ["*"] + } + + statement { + sid = "ACM-PCA" + actions = ["acm-pca:GetCertificateAuthorityCertificate", + "acm-pca:GetCertificateAuthorityCsr", + ] + resources = ["*"] + } + + statement { + sid = "APPCONFIG" + actions = ["appconfig:GetConfigurationProfile", + "appconfig:GetDeploymentStrategy", + "appconfig:GetExtension", + "appconfig:GetExtensionAssociation", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListApplications", + "appconfig:ListConfigurationProfiles", + "appconfig:ListDeployments", + "appconfig:ListDeploymentStrategies", + "appconfig:ListEnvironments", + "appconfig:ListExtensionAssociations", + "appconfig:ListExtensions", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "APPFLOW" + actions = ["appflow:DescribeConnector", + "appflow:DescribeConnectorEntity", + "appflow:DescribeConnectorFields", + "appflow:DescribeConnectorProfiles", + "appflow:DescribeConnectors", + "appflow:DescribeFlow", + "appflow:DescribeFlowExecution", + "appflow:DescribeFlowExecutionRecords", + "appflow:DescribeFlows", + "appflow:ListConnectorEntities", + "appflow:ListConnectorFields", + "appflow:ListConnectors", + "appflow:ListFlows", + "appflow:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "DYNAMODB" + actions = ["dynamodb:GetResourcePolicy", + "dynamodb:DescribeContributorInsights", + ] + resources = ["*"] + } + + statement { + sid = "EBS" + actions = ["ebs:GetSnapshotBlock", + "ebs:ListChangedBlocks", + "ebs:ListSnapshotBlocks", + ] + resources = ["*"] + } + + statement { + sid = "LAKEFORMATION" + actions = ["lakeformation:DescribeLakeFormationIdentityCenterConfiguration", + "lakeformation:GetDataLakePrincipal", + "lakeformation:GetDataLakeSettings", + "lakeformation:GetEffectivePermissionsForPath", + "lakeformation:GetTableObjects", + "lakeformation:ListDataCellsFilter", + "lakeformation:ListPermissions", + "lakeformation:ListResources", + "lakeformation:ListTableStorageOptimizers", + "lakeformation:ListTransactions", + ] + resources = ["*"] + } + + statement { + sid = "LAMBDA" + actions = ["lambda:GetFunction", + "lambda:GetFunctionCodeSigningConfig", + ] + resources = ["*"] + } + + statement { + sid = "SCHEDULER" + actions = ["scheduler:GetSchedule", + "scheduler:GetScheduleGroup", + "scheduler:ListScheduleGroups", + "scheduler:ListSchedules", + "scheduler:ListTagsForResource", + ] + resources = ["*"] + } + + statement { + sid = "SCHEMAS" + actions = ["schemas:GetCodeBindingSource"] + resources = ["*"] + } +} + resource "aws_iam_policy" "lacework_audit_policy" { count = var.use_existing_iam_role_policy ? 0 : 1 name = local.lacework_audit_policy_name @@ -528,6 +649,14 @@ resource "aws_iam_policy" "lacework_audit_policy_2025_1" { tags = var.tags } +resource "aws_iam_policy" "lacework_audit_policy_2025_2" { + count = var.use_existing_iam_role_policy ? 0 : 1 + name = local.lacework_audit_policy_name_2025_2 + description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the third policy" + policy = data.aws_iam_policy_document.lacework_audit_policy_2025_2[0].json + tags = var.tags +} + resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" { count = var.use_existing_iam_role_policy ? 0 : 1 role = local.iam_role_name @@ -542,6 +671,13 @@ resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" { depends_on = [module.lacework_cfg_iam_role] } +resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_c" { + count = var.use_existing_iam_role_policy ? 0 : 1 + role = local.iam_role_name + policy_arn = aws_iam_policy.lacework_audit_policy_2025_2[0].arn + depends_on = [module.lacework_cfg_iam_role] +} + # wait for X seconds for things to settle down in the AWS side # before trying to create the Lacework external integration resource "time_sleep" "wait_time" { From fb1decc7d4d3a47f6e2f2a3a14c74c7ae0e7f4b9 Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 13:19:01 -0700 Subject: [PATCH 2/6] Run terraform docs --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 2b72a81..7755c46 100644 --- a/README.md +++ b/README.md @@ -39,14 +39,17 @@ Terraform module for configuring an integration with Lacework and AWS for cloud |------|------| | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_c](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [lacework_integration_aws_cfg.default](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_aws_cfg) | resource | | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source | ## Inputs From 70442be19d733f175770e1f38f047c3ba6c3c13a Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 14:44:56 -0700 Subject: [PATCH 3/6] Add datasync --- README.md | 21 +++++++++++++++++++++ main.tf | 27 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/README.md b/README.md index 7755c46..fca727b 100644 --- a/README.md +++ b/README.md @@ -413,3 +413,24 @@ The audit policy is comprised of the following permissions: | | scheduler:ListSchedules | | | | scheduler:ListTagsForResource | | | SCHEMAS | schemas:GetCodeBindingSource | * | +| DATASYNC | datasync:DescribeTaskExecution | * | +| | datasync:DescribeLocationEfs | | +| | datasync:ListAgents | | +| | datasync:ListLocations | | +| | datasync:ListTaskExecutions | | +| | datasync:ListStorageSystems | | +| | datasync:DescribeLocationSmb | | +| | datasync:DescribeAgent | | +| | datasync:DescribeLocationFsxWindows | | +| | datasync:DescribeTask | | +| | datasync:DescribeLocationS3 | | +| | datasync:DescribeDiscoveryJob | | +| | datasync:DescribeLocationObjectStorage | | +| | datasync:DescribeStorageSystem | | +| | datasync:DescribeLocationAzureBlob | | +| | datasync:ListTagsForResource | | +| | datasync:ListTasks | | +| | datasync:DescribeLocationHdfs | | +| | datasync:DescribeLocationFsxLustre | | +| | datasync:ListDiscoveryJobs | | +| | datasync:DescribeLocationNfs | | diff --git a/main.tf b/main.tf index d544007..fcf25ac 100644 --- a/main.tf +++ b/main.tf @@ -631,6 +631,33 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { actions = ["schemas:GetCodeBindingSource"] resources = ["*"] } + + statement { + sid = "DATASYNC" + actions = ["datasync:DescribeTaskExecution", + "datasync:DescribeLocationEfs", + "datasync:ListAgents", + "datasync:ListLocations", + "datasync:ListTaskExecutions", + "datasync:ListStorageSystems", + "datasync:DescribeLocationSmb", + "datasync:DescribeAgent", + "datasync:DescribeLocationFsxWindows", + "datasync:DescribeTask", + "datasync:DescribeLocationS3", + "datasync:DescribeDiscoveryJob", + "datasync:DescribeLocationObjectStorage", + "datasync:DescribeStorageSystem", + "datasync:DescribeLocationAzureBlob", + "datasync:ListTagsForResource", + "datasync:ListTasks", + "datasync:DescribeLocationHdfs", + "datasync:DescribeLocationFsxLustre", + "datasync:ListDiscoveryJobs", + "datasync:DescribeLocationNfs" + ] + resources = ["*"] + } } resource "aws_iam_policy" "lacework_audit_policy" { From fc6b9a00ef87c0997c8dd8b5b0e4daa5a84d727c Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 14:47:16 -0700 Subject: [PATCH 4/6] Fix lint --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fcf25ac..325452a 100644 --- a/main.tf +++ b/main.tf @@ -632,7 +632,7 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { resources = ["*"] } - statement { + statement { sid = "DATASYNC" actions = ["datasync:DescribeTaskExecution", "datasync:DescribeLocationEfs", From 2b1824b80f1038d9cc330f93aa5ce17ed7802bbe Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 15:27:10 -0700 Subject: [PATCH 5/6] Fix SID --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 325452a..c118eb3 100644 --- a/main.tf +++ b/main.tf @@ -527,7 +527,7 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { } statement { - sid = "ACM-PCA" + sid = "ACMPCA" actions = ["acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificateAuthorityCsr", ] From 9e6f7eb427a433d2614b9c49057d69861ca6a3ba Mon Sep 17 00:00:00 2001 From: lmax Date: Thu, 3 Apr 2025 15:39:30 -0700 Subject: [PATCH 6/6] Fix the overlap and not needed permissions --- README.md | 10 +--------- main.tf | 10 +--------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index fca727b..3b7d0e3 100644 --- a/README.md +++ b/README.md @@ -375,24 +375,16 @@ The audit policy is comprised of the following permissions: | | appconfig:ListExtensions | | | | appconfig:ListHostedConfigurationVersions | | | | appconfig:ListTagsForResource | | -| APPFLOW | appflow:DescribeConnector | * | -| | appflow:DescribeConnectorEntity | | -| | appflow:DescribeConnectorFields | | +| APPFLOW | appflow:DescribeConnectorEntity | * | | | appflow:DescribeConnectorProfiles | | | | appflow:DescribeConnectors | | | | appflow:DescribeFlow | | -| | appflow:DescribeFlowExecution | | | | appflow:DescribeFlowExecutionRecords | | -| | appflow:DescribeFlows | | | | appflow:ListConnectorEntities | | -| | appflow:ListConnectorFields | | | | appflow:ListConnectors | | -| | appflow:ListFlows | | -| | appflow:ListTagsForResource | | | DYNAMODB | dynamodb:DescribeContributorInsights | * | | | dynamodb:GetResourcePolicy | | | EBS | ebs:GetSnapshotBlock | * | -| | ebs:ListChangedBlocks | | | | ebs:ListSnapshotBlocks | | | FREETIER | freetier:GetFreeTierUsage | * | | LAKEFORMATION | lakeformation:DescribeLakeFormationIdentityCenterConfiguration | * | diff --git a/main.tf b/main.tf index c118eb3..5d38c81 100644 --- a/main.tf +++ b/main.tf @@ -556,20 +556,13 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { statement { sid = "APPFLOW" - actions = ["appflow:DescribeConnector", - "appflow:DescribeConnectorEntity", - "appflow:DescribeConnectorFields", + actions = ["appflow:DescribeConnectorEntity", "appflow:DescribeConnectorProfiles", "appflow:DescribeConnectors", "appflow:DescribeFlow", - "appflow:DescribeFlowExecution", "appflow:DescribeFlowExecutionRecords", - "appflow:DescribeFlows", "appflow:ListConnectorEntities", - "appflow:ListConnectorFields", "appflow:ListConnectors", - "appflow:ListFlows", - "appflow:ListTagsForResource", ] resources = ["*"] } @@ -585,7 +578,6 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_2" { statement { sid = "EBS" actions = ["ebs:GetSnapshotBlock", - "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", ] resources = ["*"]