chore: Limit permissions to ECS services for Cloud Connector and Scanning (#34)

Author: hayk99

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,5 @@
 > PR template
-> 
+>
 > * for a cleaner PR, **delete whatever is not required**
 > * use pull-request **drafts for visiblity on WIP branches**
 > * unless a revision is desired in order to validate, or gather some feedback, **you are free to merge it as long as**
@@ -14,10 +14,9 @@
       - [ ] Sysdig docs
 - [ ] **input/output** variables have been modified?
   - [ ] terraform-docs has been updated acordingly
-  - [ ] if these inputs are mandatory, they've been changed on 
+  - [ ] if these inputs are mandatory, they've been changed on
       - [ ] examples
       - [ ] testing use-cases
       - [ ] snippets on README's
       - [ ] snippets on Secure Platform onboarding
 - [ ] had any problems developing this PR? add it to the readme **troubleshooting** list! may come handy to someone
-

modules/services/cloud-connector/ecs-service-security.tf

@@ -46,30 +46,27 @@ data "aws_iam_policy_document" "iam_role_task_policy" {
   statement {
     effect = "Allow"
     actions = [
-      "s3:*", # FIXME. refine only for Get and List
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
       "sts:AssumeRole",
-
-      "logs:DescribeLogStreams",
-      "logs:GetLogEvents",
-      "logs:FilterLogEvents",
-      "logs:PutLogEvents",
-
-      # FIXME. this should be done over the specific resource
-      "sqs:DeleteMessage",
-      "sqs:DeleteMessageBatch",
-      "sqs:ReceiveMessage"
     ]
-    resources = ["*"] # FIXME. make more specific?
+    resources = ["*"]
   }
 
   statement {
-    sid    = "AllowSecurityHub"
     effect = "Allow"
     actions = [
-      "securityhub:GetFindings",
-      "securityhub:BatchImportFindings",
+      "sqs:DeleteMessage",
+      "sqs:DeleteMessageBatch",
+      "sqs:ReceiveMessage"
     ]
-    resources = ["arn:aws:securityhub:${data.aws_region.current.name}::product/sysdig/sysdig-cloud-connector"]
+    resources = [module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_arn]
   }
 }
 

modules/services/cloud-scanning/ecs-service-security.tf

@@ -45,16 +45,19 @@ data "aws_iam_policy_document" "iam_role_task_role_policy" {
   statement {
     effect = "Allow"
     actions = [
-      "s3:Get*",
-      "s3:List",
-      "s3:Put*",
-      "s3:Head",
-
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
       "sqs:DeleteMessage",
       "sqs:DeleteMessageBatch",
       "sqs:ReceiveMessage"
     ]
-    resources = ["*"]
+    resources = [module.cloud_scanning_sqs.cloudtrail_sns_subscribed_sqs_arn]
   }
 }