expand cspm permissions

Levetty · Aug 21, 2024 · b329426 · b329426
1 parent 9baa816
commit b329426
Show file tree

Hide file tree

Showing 7 changed files with 805 additions and 139 deletions.
diff --git a/main.tf b/main.tf
@@ -29,11 +29,17 @@ resource "aws_iam_role_policy_attachment" "cloudbase_security_audit_policy" {
   policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
 }
 
-resource "aws_iam_role_policy" "cloudbase_cspm_read_policy" {
-  name = "CloudbaseReadPolicy"
-  role = aws_iam_role.cloudbase_role.id
+resource "aws_iam_role_policy_attachment" "cloudbase_cspm_read_policy" {
+  count      = 4
+  role       = aws_iam_role.cloudbase_role.id
+  policy_arn = aws_iam_policy.cloudbase_cspm_read_policy[count.index].arn
+}
+
+resource "aws_iam_policy" "cloudbase_cspm_read_policy" {
+  count = 4
+  name  = "${var.cspm_policy_prefix}${count.index}"
 
-  policy = file("${path.module}/policies/cspm_read.json")
+  policy = file("${path.module}/policies/cspm_read_${count.index}.json")
 }
 
 resource "aws_iam_role_policy" "cloudbase_container_scan_policy" {

diff --git a/policies/cspm_read.json b/policies/cspm_read.json
diff --git a/policies/cspm_read_0.json b/policies/cspm_read_0.json
@@ -0,0 +1,200 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "access-analyzer:GetAccessPreview",
+        "access-analyzer:GetGeneratedPolicy",
+        "access-analyzer:List*",
+        "access-analyzer:ValidatePolicy",
+        "account:GetAlternateContact",
+        "account:GetContactInformation",
+        "account:GetPrimaryEmail",
+        "account:ListRegions",
+        "acm:DescribeCertificate",
+        "acm:GetAccountConfiguration",
+        "acm:List*",
+        "airflow:List*",
+        "amplify:GetApp",
+        "amplify:GetBranch",
+        "amplify:GetDomainAssociation",
+        "amplify:GetJob",
+        "amplify:List*",
+        "apigateway:GET",
+        "appconfig:GetApplication",
+        "appconfig:GetConfiguration",
+        "appconfig:GetConfigurationProfile",
+        "appconfig:GetDeployment",
+        "appconfig:GetDeploymentStrategy",
+        "appconfig:GetEnvironment",
+        "appconfig:GetHostedConfigurationVersion",
+        "appconfig:List*",
+        "appflow:Describe*",
+        "appflow:List*",
+        "apprunner:DescribeWebAclForService",
+        "apprunner:List*",
+        "appstream:Describe*",
+        "appstream:List*",
+        "appsync:GetApiAssociation",
+        "appsync:GetDataSource",
+        "appsync:GetDataSourceIntrospection",
+        "appsync:GetDomainName",
+        "appsync:GetGraphqlApi",
+        "appsync:GetIntrospectionSchema",
+        "appsync:GetResolver",
+        "appsync:GetResourcePolicy",
+        "appsync:GetSchemaCreationStatus",
+        "appsync:GetSourceApiAssociation",
+        "appsync:GetType",
+        "appsync:ListGraphqlApis",
+        "aps:Describe*",
+        "aps:GetAlertManagerSilence",
+        "aps:GetAlertManagerStatus",
+        "aps:GetDefaultScraperConfiguration",
+        "aps:GetLabels",
+        "aps:GetMetricMetadata",
+        "aps:List*",
+        "athena:GetCapacityAssignmentConfiguration",
+        "athena:GetCapacityReservation",
+        "athena:GetExecutionEngine",
+        "athena:GetExecutionEngines",
+        "athena:GetNamedQuery",
+        "athena:GetNamespace",
+        "athena:GetNamespaces",
+        "athena:GetNotebookMetadata",
+        "athena:GetPreparedStatement",
+        "athena:GetQueryExecution",
+        "athena:GetQueryRuntimeStatistics",
+        "athena:GetSessionStatus",
+        "athena:GetWorkGroup",
+        "athena:ListWorkGroups",
+        "auditmanager:GetAssessment",
+        "auditmanager:GetAssessmentFramework",
+        "auditmanager:GetAssessmentReportUrl",
+        "auditmanager:GetChangeLogs",
+        "auditmanager:GetControl",
+        "auditmanager:GetDelegations",
+        "auditmanager:GetEvidence",
+        "auditmanager:GetEvidenceByEvidenceFolder",
+        "auditmanager:GetEvidenceFolder",
+        "auditmanager:GetEvidenceFoldersByAssessment",
+        "auditmanager:GetEvidenceFoldersByAssessmentControl",
+        "auditmanager:GetOrganizationAdminAccount",
+        "auditmanager:GetServicesInScope",
+        "auditmanager:GetSettings",
+        "auditmanager:ListKeywordsForDataSource",
+        "auditmanager:ValidateAssessmentReportIntegrity",
+        "autoscaling:GetPredictiveScalingForecast",
+        "backup:Describe*",
+        "backup:GetBackupPlan",
+        "backup:GetBackupPlanFromJSON",
+        "backup:GetBackupPlanFromTemplate",
+        "backup:GetBackupSelection",
+        "backup:GetBackupVaultSharingPolicy",
+        "backup:GetLegalHold",
+        "backup:GetRecoveryPointRestoreMetadata",
+        "backup:GetRestoreJobMetadata",
+        "backup:GetRestoreTestingInferredMetadata",
+        "backup:GetRestoreTestingPlan",
+        "backup:GetRestoreTestingSelection",
+        "backup:GetSupportedResourceTypes",
+        "backup:List*",
+        "batch:Describe*",
+        "batch:List*",
+        "budgets:Describe*",
+        "cloud9:ListTagsForResource",
+        "cloudformation:Describe*",
+        "cloudformation:DetectStackDrift",
+        "cloudformation:DetectStackResourceDrift",
+        "cloudformation:DetectStackSetDrift",
+        "cloudformation:EstimateTemplateCost",
+        "cloudformation:GetResource",
+        "cloudformation:GetResourceRequestStatus",
+        "cloudformation:GetTemplateSummary",
+        "cloudformation:List*",
+        "cloudfront:Describe*",
+        "cloudfront:GetDistribution",
+        "cloudfront:List*",
+        "cloudtrail:DescribeQuery",
+        "cloudtrail:GetChannel",
+        "cloudtrail:GetEventDataStore",
+        "cloudtrail:GetImport",
+        "cloudtrail:GetResourcePolicy",
+        "cloudtrail:GetServiceLinkedChannel",
+        "cloudtrail:List*",
+        "cloudwatch:GenerateQuery",
+        "cloudwatch:GetInsightRuleReport",
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricStream",
+        "cloudwatch:GetMetricWidgetImage",
+        "cloudwatch:GetService",
+        "cloudwatch:GetServiceData",
+        "cloudwatch:GetServiceLevelObjective",
+        "cloudwatch:GetTopologyDiscoveryStatus",
+        "cloudwatch:GetTopologyMap",
+        "cloudwatch:List*",
+        "codeartifact:Describe*",
+        "codeartifact:GetRepositoryEndpoint",
+        "codeartifact:List*",
+        "codebuild:BatchGetBuildBatches",
+        "codebuild:BatchGetBuilds",
+        "codebuild:BatchGetFleets",
+        "codebuild:BatchGetReportGroups",
+        "codebuild:Describe*",
+        "codebuild:List*",
+        "codeconnections:ListConnections",
+        "codeguru-profiler:DescribeProfilingGroup",
+        "codeguru-profiler:GetNotificationConfiguration",
+        "codeguru-profiler:GetPolicy",
+        "codeguru-profiler:List*",
+        "codeguru-reviewer:Describe*",
+        "codeguru-reviewer:List*",
+        "codepipeline:GetActionType",
+        "codepipeline:List*",
+        "connect:Describe*",
+        "connect:List*",
+        "databrew:Describe*",
+        "databrew:List*",
+        "dax:DescribeClusters",
+        "detective:BatchGetGraphMemberDatasources",
+        "detective:BatchGetMembershipDatasources",
+        "detective:GetFreeTrialEligibility",
+        "detective:GetInvestigation",
+        "detective:GetMembers",
+        "detective:GetUsageInformation",
+        "detective:List*",
+        "detective:SearchGraph",
+        "devicefarm:GetAccountSettings",
+        "devicefarm:GetDevice",
+        "devicefarm:GetDeviceInstance",
+        "devicefarm:GetDevicePool",
+        "devicefarm:GetDevicePoolCompatibility",
+        "devicefarm:GetInstanceProfile",
+        "devicefarm:GetNetworkProfile",
+        "devicefarm:GetOfferingStatus",
+        "devicefarm:GetProject",
+        "devicefarm:GetRemoteAccessSession",
+        "devicefarm:GetSuite",
+        "devicefarm:GetTestGridProject",
+        "devicefarm:GetTestGridSession",
+        "devicefarm:GetUpload",
+        "devicefarm:GetVPCEConfiguration",
+        "devicefarm:List*",
+        "devops-guru:Describe*",
+        "devops-guru:GetResourceCollection",
+        "devops-guru:List*",
+        "devops-guru:SearchInsights",
+        "dlm:Get*",
+        "dms:Describe*",
+        "dms:List*",
+        "dms:TestConnection",
+        "dynamodb:Describe*",
+        "dynamodb:GetResourcePolicy",
+        "dynamodb:List*"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}