From ed00ca3d59d21bf559feeeae62aa9ab6142ceccf Mon Sep 17 00:00:00 2001 From: j1-internal-automation Date: Wed, 24 Jul 2024 15:34:40 +0000 Subject: [PATCH] update CloudFormation documentation --- .../cloudformation-template.json | 18 +++++++++++------- .../managed-policy.md | 18 +++++++++++------- .../iam-cloudformation-detailed/terraform.tf | 18 +++++++++++------- .../cloudformation-template.json | 2 ++ .../iam-cloudformation/managed-policy.md | 2 ++ cloudformation/iam-cloudformation/terraform.tf | 2 ++ 6 files changed, 39 insertions(+), 21 deletions(-) diff --git a/cloudformation/iam-cloudformation-detailed/cloudformation-template.json b/cloudformation/iam-cloudformation-detailed/cloudformation-template.json index 3aa93c3..f09ec80 100644 --- a/cloudformation/iam-cloudformation-detailed/cloudformation-template.json +++ b/cloudformation/iam-cloudformation-detailed/cloudformation-template.json @@ -79,6 +79,7 @@ "autoscaling:DescribePolicies", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupVaults", + "backup:ListRecoveryPointsByBackupVault", "batch:DescribeComputeEnvironments", "batch:DescribeJobDefinitions", "batch:DescribeJobQueues", @@ -148,6 +149,8 @@ "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcEndpointServiceConfigurations", + "ec2:DescribeVpcEndpointServiceConnections", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", @@ -239,13 +242,7 @@ "iam:GetOpenIDConnectProvider", "iam:GetPolicyVersion", "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetSAMLProvider", - "iam:GetServerCertificate", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAccessKeys", - "iam:ListAccountAliases" + "iam:GetRolePolicy" ] } ] @@ -265,6 +262,12 @@ "Effect": "Allow", "Resource": "*", "Action": [ + "iam:GetSAMLProvider", + "iam:GetServerCertificate", + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ListAccessKeys", + "iam:ListAccountAliases", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", @@ -304,6 +307,7 @@ "kms:ListAliases", "kms:ListKeys", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListTags", diff --git a/cloudformation/iam-cloudformation-detailed/managed-policy.md b/cloudformation/iam-cloudformation-detailed/managed-policy.md index 53f2c09..7f520c4 100644 --- a/cloudformation/iam-cloudformation-detailed/managed-policy.md +++ b/cloudformation/iam-cloudformation-detailed/managed-policy.md @@ -42,6 +42,7 @@ "autoscaling:DescribePolicies", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupVaults", + "backup:ListRecoveryPointsByBackupVault", "batch:DescribeComputeEnvironments", "batch:DescribeJobDefinitions", "batch:DescribeJobQueues", @@ -111,6 +112,8 @@ "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcEndpointServiceConfigurations", + "ec2:DescribeVpcEndpointServiceConnections", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", @@ -202,13 +205,7 @@ "iam:GetOpenIDConnectProvider", "iam:GetPolicyVersion", "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetSAMLProvider", - "iam:GetServerCertificate", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAccessKeys", - "iam:ListAccountAliases" + "iam:GetRolePolicy" ] } ] @@ -225,6 +222,12 @@ "Effect": "Allow", "Resource": "*", "Action": [ + "iam:GetSAMLProvider", + "iam:GetServerCertificate", + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ListAccessKeys", + "iam:ListAccountAliases", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", @@ -264,6 +267,7 @@ "kms:ListAliases", "kms:ListKeys", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListTags", diff --git a/cloudformation/iam-cloudformation-detailed/terraform.tf b/cloudformation/iam-cloudformation-detailed/terraform.tf index b657ce6..e5ac7d4 100644 --- a/cloudformation/iam-cloudformation-detailed/terraform.tf +++ b/cloudformation/iam-cloudformation-detailed/terraform.tf @@ -68,6 +68,7 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy" { "autoscaling:DescribePolicies", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupVaults", + "backup:ListRecoveryPointsByBackupVault", "batch:DescribeComputeEnvironments", "batch:DescribeJobDefinitions", "batch:DescribeJobQueues", @@ -137,6 +138,8 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy" { "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcEndpointServiceConfigurations", + "ec2:DescribeVpcEndpointServiceConnections", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", @@ -228,13 +231,7 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy" { "iam:GetOpenIDConnectProvider", "iam:GetPolicyVersion", "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetSAMLProvider", - "iam:GetServerCertificate", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAccessKeys", - "iam:ListAccountAliases" + "iam:GetRolePolicy" ] } ] @@ -256,6 +253,12 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy_2" { "Effect": "Allow", "Resource": "*", "Action": [ + "iam:GetSAMLProvider", + "iam:GetServerCertificate", + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ListAccessKeys", + "iam:ListAccountAliases", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", @@ -295,6 +298,7 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy_2" { "kms:ListAliases", "kms:ListKeys", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListTags", diff --git a/cloudformation/iam-cloudformation/cloudformation-template.json b/cloudformation/iam-cloudformation/cloudformation-template.json index 6e53842..97c4e63 100644 --- a/cloudformation/iam-cloudformation/cloudformation-template.json +++ b/cloudformation/iam-cloudformation/cloudformation-template.json @@ -47,6 +47,7 @@ "Effect": "Allow", "Resource": "*", "Action": [ + "backup:List*", "batch:Describe*", "batch:List*", "cloudhsm:Describe*", @@ -62,6 +63,7 @@ "glue:GetJob", "glue:List*", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lex:List*", "macie2:GetFindings", "redshift-serverless:List*", diff --git a/cloudformation/iam-cloudformation/managed-policy.md b/cloudformation/iam-cloudformation/managed-policy.md index a4d8779..6b73014 100644 --- a/cloudformation/iam-cloudformation/managed-policy.md +++ b/cloudformation/iam-cloudformation/managed-policy.md @@ -8,6 +8,7 @@ "Effect": "Allow", "Resource": "*", "Action": [ + "backup:List*", "batch:Describe*", "batch:List*", "cloudhsm:Describe*", @@ -23,6 +24,7 @@ "glue:GetJob", "glue:List*", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lex:List*", "macie2:GetFindings", "redshift-serverless:List*", diff --git a/cloudformation/iam-cloudformation/terraform.tf b/cloudformation/iam-cloudformation/terraform.tf index f205ef4..602c07e 100644 --- a/cloudformation/iam-cloudformation/terraform.tf +++ b/cloudformation/iam-cloudformation/terraform.tf @@ -36,6 +36,7 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy" { "Effect": "Allow", "Resource": "*", "Action": [ + "backup:List*", "batch:Describe*", "batch:List*", "cloudhsm:Describe*", @@ -51,6 +52,7 @@ resource "aws_iam_policy" "jupiterone_security_audit_policy" { "glue:GetJob", "glue:List*", "lambda:GetFunction", + "lambda:GetFunctionUrlConfig", "lex:List*", "macie2:GetFindings", "redshift-serverless:List*",