diff --git a/main.tf b/main.tf index 0262545..33ce5e1 100644 --- a/main.tf +++ b/main.tf @@ -29,11 +29,17 @@ resource "aws_iam_role_policy_attachment" "cloudbase_security_audit_policy" { policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } -resource "aws_iam_role_policy" "cloudbase_cspm_read_policy" { - name = "CloudbaseReadPolicy" - role = aws_iam_role.cloudbase_role.id +resource "aws_iam_role_policy_attachment" "cloudbase_cspm_read_policy" { + count = 4 + role = aws_iam_role.cloudbase_role.id + policy_arn = aws_iam_policy.cloudbase_cspm_read_policy[count.index].arn +} + +resource "aws_iam_policy" "cloudbase_cspm_read_policy" { + count = 4 + name = "${var.cspm_policy_prefix}${count.index}" - policy = file("${path.module}/policies/cspm_read.json") + policy = file("${path.module}/policies/cspm_read_${count.index}.json") } resource "aws_iam_role_policy" "cloudbase_container_scan_policy" { diff --git a/policies/cspm_read.json b/policies/cspm_read.json deleted file mode 100644 index 4d83aee..0000000 --- a/policies/cspm_read.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "account:GetAlternateContact", - "account:GetContactInformation", - "airflow:ListEnvironments", - "apigateway:GET", - "appflow:DescribeFlow", - "appflow:ListFlows", - "apprunner:ListServices", - "athena:GetNamedQuery", - "athena:GetQueryExecution", - "athena:GetWorkGroup", - "auditmanager:GetSettings", - "backup:GetBackupPlan", - "backup:GetBackupSelection", - "backup:DescribeRegionSettings", - "backup:ListBackupPlans", - "backup:ListBackupVaults", - "backup:ListBackupSelections", - "backup:ListTags", - "codeartifact:ListDomains", - "codebuild:ListSourceCredentials", - "codeconnections:ListConnections", - "codepipeline:ListWebhooks", - "codepipeline:ListTagsForResource", - "connect:ListInstances", - "databrew:ListJobs", - "dax:DescribeClusters", - "devops-guru:ListNotificationChannels", - "dlm:GetLifecyclePolicies", - "ec2:GetEbsDefaultKmsKeyId", - "ec2:GetEbsEncryptionByDefault", - "ecs:GetTaskProtection", - "elasticTranscoder:ListJobsByPipeline", - "elasticfilesystem:DescribeAccessPoints", - "elastictranscoder:ListPipelines", - "es:ListVpcEndpointAccess", - "finspace:ListEnvironments", - "forecast:ListDatasets", - "forecast:ListForecastExportJobs", - "frauddetector:GetDetectors", - "frauddetector:GetKMSEncryptionKey", - "geo:DescribeGeofenceCollection", - "geo:DescribeTracker", - "geo:ListGeofenceCollections", - "geo:ListTrackers", - "glue:GetSecurityConfigurations", - "glue:GetTables", - "glue:ListWorkflows", - "guardduty:GetFindings", - "guardduty:ListDetectors", - "guardduty:ListFindings", - "healthlake:ListFHIRDatastores", - "iotsitewise:DescribeDefaultEncryptionConfiguration", - "kafka:ListClusters", - "kendra:ListIndices", - "kinesisvideo:ListStreams", - "kms:DescribeKey", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "lambda:GetFunctionCodeSigningConfig", - "lambda:GetRuntimeManagementConfig", - "lex:DescribeBot", - "lex:DescribeBotAlias", - "lex:DescribeBotVersion", - "lex:GetBot", - "lex:GetBotVersions", - "lex:GetBots", - "lex:ListBotAliases", - "lex:ListBotVersions", - "lex:ListBots", - "lex:ListTagsForResource", - "lightsail:GetAlarms", - "lightsail:GetBuckets", - "lightsail:GetCertificates", - "lightsail:GetContainerServices", - "lightsail:GetDisks", - "lightsail:GetDistributions", - "lightsail:GetInstanceSnapshots", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetRelationalDatabases", - "lightsail:GetStaticIps", - "logs:DescribeLogGroups", - "logs:DescribeMetricFilters", - "lookoutMetrics:DescribeAnomalyDetector", - "lookoutequipment:ListDatasets", - "lookoutmetrics:ListAnomalyDetectors", - "lookoutvision:ListProjects", - "managedblockchain:ListNetworks", - "memorydb:DescribeClusters", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListRuleGroups", - "profile:ListDomains", - "proton:ListEnvironmentTemplates", - "qldb:ListLedgers", - "securityhub:GetFindings", - "servicequotas:ListServiceQuotas", - "ses:ListEmailTemplates", - "sns:GetSubscriptionAttributes", - "sqs:GetQueueAttributes", - "sqs:ListQueues", - "ssm:GetServiceSetting", - "ssm:GetInventory", - "sts:GetCallerIdentity", - "timestream:DescribeEndpoints", - "timestream:ListDatabases", - "voiceid:ListDomains", - "waf-regional:GetRule", - "waf-regional:GetLoggingConfiguration", - "waf-regional:GetRuleGroup", - "waf-regional:ListRateBasedRules", - "waf-regional:ListRuleGroups", - "waf-regional:ListRules", - "waf:GetLoggingConfiguration", - "waf:GetRule", - "waf:GetRuleGroup", - "waf:ListRuleGroups", - "waf:ListRules", - "waf:ListSubscribedRuleGroups", - "wafv2:DescribeManagedRuleGroup", - "wafv2:GetLoggingConfiguration", - "wafv2:GetRuleGroup", - "wafv2:GetWebACLForResource", - "wisdom:ListAssistants" - ], - "Resource": "*", - "Effect": "Allow" - } - ] -} diff --git a/policies/cspm_read_0.json b/policies/cspm_read_0.json new file mode 100644 index 0000000..979fdd6 --- /dev/null +++ b/policies/cspm_read_0.json @@ -0,0 +1,200 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "access-analyzer:GetAccessPreview", + "access-analyzer:GetGeneratedPolicy", + "access-analyzer:List*", + "access-analyzer:ValidatePolicy", + "account:GetAlternateContact", + "account:GetContactInformation", + "account:GetPrimaryEmail", + "account:ListRegions", + "acm:DescribeCertificate", + "acm:GetAccountConfiguration", + "acm:List*", + "airflow:List*", + "amplify:GetApp", + "amplify:GetBranch", + "amplify:GetDomainAssociation", + "amplify:GetJob", + "amplify:List*", + "apigateway:GET", + "appconfig:GetApplication", + "appconfig:GetConfiguration", + "appconfig:GetConfigurationProfile", + "appconfig:GetDeployment", + "appconfig:GetDeploymentStrategy", + "appconfig:GetEnvironment", + "appconfig:GetHostedConfigurationVersion", + "appconfig:List*", + "appflow:Describe*", + "appflow:List*", + "apprunner:DescribeWebAclForService", + "apprunner:List*", + "appstream:Describe*", + "appstream:List*", + "appsync:GetApiAssociation", + "appsync:GetDataSource", + "appsync:GetDataSourceIntrospection", + "appsync:GetDomainName", + "appsync:GetGraphqlApi", + "appsync:GetIntrospectionSchema", + "appsync:GetResolver", + "appsync:GetResourcePolicy", + "appsync:GetSchemaCreationStatus", + "appsync:GetSourceApiAssociation", + "appsync:GetType", + "appsync:ListGraphqlApis", + "aps:Describe*", + "aps:GetAlertManagerSilence", + "aps:GetAlertManagerStatus", + "aps:GetDefaultScraperConfiguration", + "aps:GetLabels", + "aps:GetMetricMetadata", + "aps:List*", + "athena:GetCapacityAssignmentConfiguration", + "athena:GetCapacityReservation", + "athena:GetExecutionEngine", + "athena:GetExecutionEngines", + "athena:GetNamedQuery", + "athena:GetNamespace", + "athena:GetNamespaces", + "athena:GetNotebookMetadata", + "athena:GetPreparedStatement", + "athena:GetQueryExecution", + "athena:GetQueryRuntimeStatistics", + "athena:GetSessionStatus", + "athena:GetWorkGroup", + "athena:ListWorkGroups", + "auditmanager:GetAssessment", + "auditmanager:GetAssessmentFramework", + "auditmanager:GetAssessmentReportUrl", + "auditmanager:GetChangeLogs", + "auditmanager:GetControl", + "auditmanager:GetDelegations", + "auditmanager:GetEvidence", + "auditmanager:GetEvidenceByEvidenceFolder", + "auditmanager:GetEvidenceFolder", + "auditmanager:GetEvidenceFoldersByAssessment", + "auditmanager:GetEvidenceFoldersByAssessmentControl", + "auditmanager:GetOrganizationAdminAccount", + "auditmanager:GetServicesInScope", + "auditmanager:GetSettings", + "auditmanager:ListKeywordsForDataSource", + "auditmanager:ValidateAssessmentReportIntegrity", + "autoscaling:GetPredictiveScalingForecast", + "backup:Describe*", + "backup:GetBackupPlan", + "backup:GetBackupPlanFromJSON", + "backup:GetBackupPlanFromTemplate", + "backup:GetBackupSelection", + "backup:GetBackupVaultSharingPolicy", + "backup:GetLegalHold", + "backup:GetRecoveryPointRestoreMetadata", + "backup:GetRestoreJobMetadata", + "backup:GetRestoreTestingInferredMetadata", + "backup:GetRestoreTestingPlan", + "backup:GetRestoreTestingSelection", + "backup:GetSupportedResourceTypes", + "backup:List*", + "batch:Describe*", + "batch:List*", + "budgets:Describe*", + "cloud9:ListTagsForResource", + "cloudformation:Describe*", + "cloudformation:DetectStackDrift", + "cloudformation:DetectStackResourceDrift", + "cloudformation:DetectStackSetDrift", + "cloudformation:EstimateTemplateCost", + "cloudformation:GetResource", + "cloudformation:GetResourceRequestStatus", + "cloudformation:GetTemplateSummary", + "cloudformation:List*", + "cloudfront:Describe*", + "cloudfront:GetDistribution", + "cloudfront:List*", + "cloudtrail:DescribeQuery", + "cloudtrail:GetChannel", + "cloudtrail:GetEventDataStore", + "cloudtrail:GetImport", + "cloudtrail:GetResourcePolicy", + "cloudtrail:GetServiceLinkedChannel", + "cloudtrail:List*", + "cloudwatch:GenerateQuery", + "cloudwatch:GetInsightRuleReport", + "cloudwatch:GetMetricData", + "cloudwatch:GetMetricStatistics", + "cloudwatch:GetMetricStream", + "cloudwatch:GetMetricWidgetImage", + "cloudwatch:GetService", + "cloudwatch:GetServiceData", + "cloudwatch:GetServiceLevelObjective", + "cloudwatch:GetTopologyDiscoveryStatus", + "cloudwatch:GetTopologyMap", + "cloudwatch:List*", + "codeartifact:Describe*", + "codeartifact:GetRepositoryEndpoint", + "codeartifact:List*", + "codebuild:BatchGetBuildBatches", + "codebuild:BatchGetBuilds", + "codebuild:BatchGetFleets", + "codebuild:BatchGetReportGroups", + "codebuild:Describe*", + "codebuild:List*", + "codeconnections:ListConnections", + "codeguru-profiler:DescribeProfilingGroup", + "codeguru-profiler:GetNotificationConfiguration", + "codeguru-profiler:GetPolicy", + "codeguru-profiler:List*", + "codeguru-reviewer:Describe*", + "codeguru-reviewer:List*", + "codepipeline:GetActionType", + "codepipeline:List*", + "connect:Describe*", + "connect:List*", + "databrew:Describe*", + "databrew:List*", + "dax:DescribeClusters", + "detective:BatchGetGraphMemberDatasources", + "detective:BatchGetMembershipDatasources", + "detective:GetFreeTrialEligibility", + "detective:GetInvestigation", + "detective:GetMembers", + "detective:GetUsageInformation", + "detective:List*", + "detective:SearchGraph", + "devicefarm:GetAccountSettings", + "devicefarm:GetDevice", + "devicefarm:GetDeviceInstance", + "devicefarm:GetDevicePool", + "devicefarm:GetDevicePoolCompatibility", + "devicefarm:GetInstanceProfile", + "devicefarm:GetNetworkProfile", + "devicefarm:GetOfferingStatus", + "devicefarm:GetProject", + "devicefarm:GetRemoteAccessSession", + "devicefarm:GetSuite", + "devicefarm:GetTestGridProject", + "devicefarm:GetTestGridSession", + "devicefarm:GetUpload", + "devicefarm:GetVPCEConfiguration", + "devicefarm:List*", + "devops-guru:Describe*", + "devops-guru:GetResourceCollection", + "devops-guru:List*", + "devops-guru:SearchInsights", + "dlm:Get*", + "dms:Describe*", + "dms:List*", + "dms:TestConnection", + "dynamodb:Describe*", + "dynamodb:GetResourcePolicy", + "dynamodb:List*" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} diff --git a/policies/cspm_read_1.json b/policies/cspm_read_1.json new file mode 100644 index 0000000..9b840ad --- /dev/null +++ b/policies/cspm_read_1.json @@ -0,0 +1,211 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:GetAssociatedEnclaveCertificateIamRoles", + "ec2:GetAssociatedIpv6PoolCidrs", + "ec2:GetAwsNetworkPerformanceData", + "ec2:GetCapacityReservationUsage", + "ec2:GetCoipPoolUsage", + "ec2:GetDefaultCreditSpecification", + "ec2:GetEbsDefaultKmsKeyId", + "ec2:GetEbsEncryptionByDefault", + "ec2:GetFlowLogsIntegrationTemplate", + "ec2:GetGroupsForCapacityReservation", + "ec2:GetHostReservationPurchasePreview", + "ec2:GetInstanceMetadataDefaults", + "ec2:GetInstanceTpmEkPub", + "ec2:GetInstanceTypesFromInstanceRequirements", + "ec2:GetIpamAddressHistory", + "ec2:GetIpamDiscoveredAccounts", + "ec2:GetIpamDiscoveredPublicAddresses", + "ec2:GetIpamDiscoveredResourceCidrs", + "ec2:GetIpamPoolAllocations", + "ec2:GetIpamPoolCidrs", + "ec2:GetIpamResourceCidrs", + "ec2:GetLaunchTemplateData", + "ec2:GetReservedInstancesExchangeQuote", + "ec2:GetResourcePolicy", + "ec2:GetSecurityGroupsForVpc", + "ec2:GetSerialConsoleAccessStatus", + "ec2:GetSnapshotBlockPublicAccessState", + "ec2:GetSpotPlacementScores", + "ec2:GetSubnetCidrReservations", + "ec2:GetTransitGatewayPolicyTableAssociations", + "ec2:GetTransitGatewayPolicyTableEntries", + "ec2:GetVerifiedAccessEndpointPolicy", + "ec2:GetVerifiedAccessGroupPolicy", + "ec2:GetVerifiedAccessInstanceWebAcl", + "ec2:GetVpnConnectionDeviceSampleConfiguration", + "ec2:GetVpnConnectionDeviceTypes", + "ec2:GetVpnTunnelReplacementStatus", + "ec2:List*", + "ec2:SearchLocalGatewayRoutes", + "ecr:Describe*", + "ecr:GetLifecyclePolicyPreview", + "ecs:DescribeTaskDefinition", + "ecs:GetTaskProtection", + "ecs:ListTaskDefinitions", + "eks:Describe*", + "eks:List*", + "elasticache:Describe*", + "elasticache:List*", + "elasticbeanstalk:CheckDNSAvailability", + "elasticbeanstalk:Describe*", + "elasticbeanstalk:List*", + "elasticbeanstalk:ValidateConfigurationSettings", + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:ListTagsForResource", + "elastictranscoder:List*", + "elastictranscoder:ReadPipeline", + "elastictranscoder:ReadPreset", + "es:GetCompatibleElasticsearchVersions", + "es:GetDataSource", + "es:GetDomainMaintenanceStatus", + "es:GetPackageVersionHistory", + "es:GetUpgradeHistory", + "es:GetUpgradeStatus", + "es:List*", + "events:List*", + "evidently:GetExperiment", + "evidently:GetFeature", + "evidently:GetLaunch", + "evidently:GetProject", + "evidently:GetSegment", + "evidently:List*", + "evidently:TestSegmentPattern", + "finspace:ListEnvironments", + "fis:Get*", + "fis:List*", + "forecast:Describe*", + "forecast:List*", + "frauddetector:BatchGetVariable", + "frauddetector:Describe*", + "frauddetector:GetBatchImportJobs", + "frauddetector:GetBatchPredictionJobs", + "frauddetector:GetDetectorVersion", + "frauddetector:GetDetectors", + "frauddetector:GetEntityTypes", + "frauddetector:GetEvent", + "frauddetector:GetEventTypes", + "frauddetector:GetExternalModels", + "frauddetector:GetKMSEncryptionKey", + "frauddetector:GetLabels", + "frauddetector:GetListElements", + "frauddetector:GetListsMetadata", + "frauddetector:GetModelVersion", + "frauddetector:GetModels", + "frauddetector:GetVariables", + "frauddetector:List*", + "geo:Describe*", + "geo:List*", + "glacier:DescribeJob", + "glacier:GetVaultNotifications", + "glacier:List*", + "glue:BatchGetCrawlers", + "glue:BatchGetDevEndpoints", + "glue:BatchGetJobs", + "glue:BatchGetPartition", + "glue:BatchGetTableOptimizer", + "glue:BatchGetTriggers", + "glue:BatchGetWorkflows", + "glue:GetClassifier", + "glue:GetClassifiers", + "glue:GetCrawler", + "glue:GetDatabase", + "glue:GetDevEndpoint", + "glue:GetJob", + "glue:GetJobRun", + "glue:GetJobRuns", + "glue:GetMLTransform", + "glue:GetMLTransforms", + "glue:GetPartition", + "glue:GetPartitions", + "glue:GetRegistry", + "glue:GetSchema", + "glue:GetSchemaByDefinition", + "glue:GetSchemaVersion", + "glue:GetSecurityConfigurations", + "glue:GetTable", + "glue:GetTableOptimizer", + "glue:GetTableVersion", + "glue:GetTableVersions", + "glue:GetTables", + "glue:GetTrigger", + "glue:GetTriggers", + "glue:GetUserDefinedFunction", + "glue:GetUserDefinedFunctions", + "glue:GetWorkflow", + "glue:List*", + "glue:QuerySchemaVersionMetadata", + "glue:SearchTables", + "grafana:Describe*", + "grafana:List*", + "guardduty:Describe*", + "guardduty:GetFindings", + "guardduty:List*", + "healthlake:ListFHIRDatastores", + "iam:GetAccountAuthorizationDetails", + "imagebuilder:GetComponent", + "imagebuilder:GetComponentPolicy", + "imagebuilder:GetContainerRecipe", + "imagebuilder:GetContainerRecipePolicy", + "imagebuilder:GetDistributionConfiguration", + "imagebuilder:GetImage", + "imagebuilder:GetImagePipeline", + "imagebuilder:GetImagePolicy", + "imagebuilder:GetImageRecipe", + "imagebuilder:GetImageRecipePolicy", + "imagebuilder:GetInfrastructureConfiguration", + "imagebuilder:GetLifecyclePolicy", + "imagebuilder:GetWorkflow", + "imagebuilder:List*", + "iotanalytics:Describe*", + "iotanalytics:List*", + "iotevents:Describe*", + "iotevents:List*", + "iotsitewise:Describe*", + "iotsitewise:List*", + "iotwireless:GetDestination", + "iotwireless:GetDeviceProfile", + "iotwireless:GetEventConfigurationByResourceTypes", + "iotwireless:GetFuotaTask", + "iotwireless:GetLogLevelsByResourceTypes", + "iotwireless:GetMetricConfiguration", + "iotwireless:GetMulticastGroup", + "iotwireless:GetMulticastGroupSession", + "iotwireless:GetNetworkAnalyzerConfiguration", + "iotwireless:GetPositionConfiguration", + "iotwireless:GetResourceEventConfiguration", + "iotwireless:GetServiceProfile", + "iotwireless:GetWirelessDevice", + "iotwireless:GetWirelessDeviceImportTask", + "iotwireless:GetWirelessDeviceStatistics", + "iotwireless:GetWirelessGateway", + "iotwireless:GetWirelessGatewayFirmwareInformation", + "iotwireless:GetWirelessGatewayStatistics", + "iotwireless:GetWirelessGatewayTask", + "iotwireless:GetWirelessGatewayTaskDefinition", + "iotwireless:List*", + "ivs:BatchGetChannel", + "ivs:GetChannel", + "ivs:GetComposition", + "ivs:GetEncoderConfiguration", + "ivs:GetPlaybackRestrictionPolicy", + "ivs:GetRecordingConfiguration", + "ivs:GetStage", + "ivs:GetStreamSession", + "ivs:List*", + "kafka:DescribeClusterV2", + "kafka:GetClusterPolicy", + "kafka:List*", + "kendra:Describe*", + "kendra:List*", + "kinesis:GetResourcePolicy" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} diff --git a/policies/cspm_read_2.json b/policies/cspm_read_2.json new file mode 100644 index 0000000..80949ec --- /dev/null +++ b/policies/cspm_read_2.json @@ -0,0 +1,196 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "kinesisvideo:ListStreams", + "kms:DescribeKey", + "kms:GetKeyRotationStatus", + "kms:List*", + "lambda:GetAlias", + "lambda:GetEventSourceMapping", + "lambda:GetFunctionCodeSigningConfig", + "lambda:GetFunctionConcurrency", + "lambda:GetFunctionRecursionConfig", + "lambda:GetProvisionedConcurrencyConfig", + "lambda:GetRuntimeManagementConfig", + "lex:Describe*", + "lex:GetBot", + "lex:GetBotAlias", + "lex:GetBotAliases", + "lex:GetBotVersions", + "lex:GetBots", + "lex:GetIntentVersions", + "lex:GetSlotTypeVersions", + "lex:List*", + "lightsail:GetActiveNames", + "lightsail:GetAlarms", + "lightsail:GetAutoSnapshots", + "lightsail:GetBlueprints", + "lightsail:GetBucketBundles", + "lightsail:GetBucketMetricData", + "lightsail:GetBuckets", + "lightsail:GetBundles", + "lightsail:GetCertificates", + "lightsail:GetCloudFormationStackRecords", + "lightsail:GetContainerImages", + "lightsail:GetContainerServiceDeployments", + "lightsail:GetContainerServiceMetricData", + "lightsail:GetContainerServicePowers", + "lightsail:GetContainerServices", + "lightsail:GetDisk", + "lightsail:GetDiskSnapshot", + "lightsail:GetDisks", + "lightsail:GetDistributionBundles", + "lightsail:GetDistributionMetricData", + "lightsail:GetDistributions", + "lightsail:GetDomain", + "lightsail:GetDomains", + "lightsail:GetExportSnapshotRecords", + "lightsail:GetInstance", + "lightsail:GetInstanceMetricData", + "lightsail:GetInstancePortStates", + "lightsail:GetInstanceSnapshot", + "lightsail:GetInstanceSnapshots", + "lightsail:GetInstanceState", + "lightsail:GetKeyPair", + "lightsail:GetKeyPairs", + "lightsail:GetLoadBalancer", + "lightsail:GetLoadBalancerMetricData", + "lightsail:GetOperation", + "lightsail:GetOperations", + "lightsail:GetOperationsForResource", + "lightsail:GetRegions", + "lightsail:GetRelationalDatabase", + "lightsail:GetRelationalDatabaseBlueprints", + "lightsail:GetRelationalDatabaseBundles", + "lightsail:GetRelationalDatabaseEvents", + "lightsail:GetRelationalDatabaseLogEvents", + "lightsail:GetRelationalDatabaseLogStreams", + "lightsail:GetRelationalDatabaseMetricData", + "lightsail:GetRelationalDatabaseParameters", + "lightsail:GetRelationalDatabaseSnapshot", + "lightsail:GetRelationalDatabaseSnapshots", + "lightsail:GetRelationalDatabases", + "lightsail:GetStaticIp", + "lightsail:GetStaticIps", + "lightsail:IsVpcPeered", + "logs:Describe*", + "logs:FilterLogEvents", + "logs:Get*", + "logs:List*", + "logs:TestMetricFilter", + "lookoutequipment:Describe*", + "lookoutequipment:List*", + "lookoutmetrics:Describe*", + "lookoutmetrics:Get*", + "lookoutmetrics:List*", + "lookoutvision:Describe*", + "lookoutvision:List*", + "m2:GetApplication", + "m2:GetApplicationVersion", + "m2:GetBatchJobExecution", + "m2:GetDataSetDetails", + "m2:GetDataSetImportTask", + "m2:GetDeployment", + "m2:GetEnvironment", + "m2:List*", + "managedblockchain:GetMember", + "managedblockchain:GetNetwork", + "managedblockchain:GetNode", + "managedblockchain:GetProposal", + "managedblockchain:List*", + "mediapackage:Describe*", + "mediapackage:List*", + "memorydb:Describe*", + "memorydb:ListTags", + "mq:DescribeBroker", + "mq:ListBrokers", + "network-firewall:Describe*", + "network-firewall:List*", + "networkmanager:GetConnectAttachment", + "networkmanager:GetConnectPeer", + "networkmanager:GetConnectPeerAssociations", + "networkmanager:GetConnections", + "networkmanager:GetCoreNetwork", + "networkmanager:GetCoreNetworkChangeEvents", + "networkmanager:GetCoreNetworkChangeSet", + "networkmanager:GetCoreNetworkPolicy", + "networkmanager:GetCustomerGatewayAssociations", + "networkmanager:GetLinkAssociations", + "networkmanager:GetLinks", + "networkmanager:GetNetworkResourceCounts", + "networkmanager:GetNetworkResourceRelationships", + "networkmanager:GetNetworkResources", + "networkmanager:GetNetworkRoutes", + "networkmanager:GetNetworkTelemetry", + "networkmanager:GetResourcePolicy", + "networkmanager:GetRouteAnalysis", + "networkmanager:GetSiteToSiteVpnAttachment", + "networkmanager:GetSites", + "networkmanager:GetTransitGatewayConnectPeerAssociations", + "networkmanager:GetTransitGatewayPeering", + "networkmanager:GetTransitGatewayRegistrations", + "networkmanager:GetTransitGatewayRouteTableAttachment", + "networkmanager:GetVpcAttachment", + "networkmanager:List*", + "profile:ListDomains", + "proton:GetDeployment", + "proton:GetEnvironment", + "proton:GetEnvironmentTemplate", + "proton:GetEnvironmentTemplateVersion", + "proton:GetService", + "proton:GetServiceInstance", + "proton:GetServiceTemplate", + "proton:GetServiceTemplateVersion", + "proton:List*", + "qldb:DescribeJournalKinesisStream", + "qldb:Get*", + "qldb:List*", + "rds:Describe*", + "redshift:GetReservedNodeExchangeOfferings", + "redshift:ListRecommendations", + "resiliencehub:Describe*", + "resiliencehub:List*", + "resource-explorer-2:BatchGetView", + "resource-explorer-2:GetDefaultView", + "resource-explorer-2:GetIndex", + "resource-explorer-2:GetView", + "resource-explorer-2:List*", + "resource-explorer-2:Search", + "robomaker:BatchDescribeSimulationJob", + "robomaker:GetWorldTemplateBody", + "route53-recovery-cluster:GetRoutingControlState", + "route53-recovery-cluster:ListRoutingControls", + "route53-recovery-control-config:Describe*", + "route53-recovery-control-config:GetResourcePolicy", + "route53-recovery-control-config:List*", + "route53-recovery-readiness:Get*", + "route53-recovery-readiness:List*", + "route53:GetHostedZone", + "route53:List*", + "route53:TestDNSAnswer", + "route53domains:CheckDomainAvailability", + "route53domains:CheckDomainTransferability", + "route53domains:GetContactReachabilityStatus", + "route53domains:GetDomainSuggestions", + "route53domains:ListPrices", + "route53profiles:GetProfile", + "route53profiles:GetProfileAssociation", + "route53profiles:GetProfileResourceAssociation", + "route53profiles:List*", + "rum:GetAppMonitor", + "rum:ListAppMonitors", + "s3-object-lambda:GetObjectAcl", + "s3-object-lambda:GetObjectLegalHold", + "s3-object-lambda:GetObjectRetention", + "s3-object-lambda:GetObjectTagging", + "s3-object-lambda:GetObjectVersionAcl", + "s3-object-lambda:GetObjectVersionTagging", + "s3-object-lambda:List*" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} diff --git a/policies/cspm_read_3.json b/policies/cspm_read_3.json new file mode 100644 index 0000000..005951c --- /dev/null +++ b/policies/cspm_read_3.json @@ -0,0 +1,182 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3-outposts:GetAccessPoint", + "s3-outposts:GetAccessPointPolicy", + "s3-outposts:GetBucket", + "s3-outposts:GetBucketPolicy", + "s3-outposts:GetBucketTagging", + "s3-outposts:GetLifecycleConfiguration", + "s3-outposts:List*", + "s3:DescribeJob", + "s3:GetAccessGrant", + "s3:GetAccessGrantsInstance", + "s3:GetAccessGrantsInstanceForPrefix", + "s3:GetAccessGrantsInstanceResourcePolicy", + "s3:GetAccessGrantsLocation", + "s3:GetAccessPointConfigurationForObjectLambda", + "s3:GetAccessPointForObjectLambda", + "s3:GetAccessPointPolicyForObjectLambda", + "s3:GetAccessPointPolicyStatusForObjectLambda", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketNotification", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetIntelligentTieringConfiguration", + "s3:GetJobTagging", + "s3:GetMultiRegionAccessPoint", + "s3:GetMultiRegionAccessPointPolicyStatus", + "s3:GetMultiRegionAccessPointRoutes", + "s3:GetObjectLegalHold", + "s3:GetObjectRetention", + "s3:GetObjectTagging", + "s3:GetObjectVersionForReplication", + "s3:GetObjectVersionTagging", + "s3:GetReplicationConfiguration", + "s3:GetStorageLensConfiguration", + "s3:GetStorageLensConfigurationTagging", + "s3:GetStorageLensDashboard", + "s3:GetStorageLensGroup", + "s3:List*", + "securityhub:BatchGetControlEvaluations", + "securityhub:BatchGetSecurityControls", + "securityhub:BatchGetStandardsControlAssociations", + "securityhub:GetFindings", + "servicecatalog:Describe*", + "servicecatalog:GetApplication", + "servicecatalog:GetAttributeGroup", + "servicecatalog:List*", + "servicecatalog:ScanProvisionedProducts", + "servicecatalog:SearchProducts", + "servicecatalog:SearchProductsAsAdmin", + "servicecatalog:SearchProvisionedProducts", + "servicediscovery:DiscoverInstances", + "servicediscovery:DiscoverInstancesRevision", + "servicediscovery:Get*", + "servicediscovery:List*", + "servicequotas:ListServiceQuotas", + "ses:BatchGetMetricData", + "ses:GetAddonInstance", + "ses:GetAddonSubscription", + "ses:GetArchive", + "ses:GetArchiveExport", + "ses:GetArchiveSearch", + "ses:GetContactList", + "ses:GetDeliverabilityDashboardOptions", + "ses:GetEmailIdentityPolicies", + "ses:GetExportJob", + "ses:GetImportJob", + "ses:GetIngressPoint", + "ses:GetRelay", + "ses:GetRuleSet", + "ses:GetSendQuota", + "ses:GetSendStatistics", + "ses:GetTrafficPolicy", + "ses:List*", + "signer:DescribeSigningJob", + "signer:GetSigningPlatform", + "signer:GetSigningProfile", + "signer:List*", + "sns:CheckIfPhoneNumberIsOptedOut", + "sns:GetDataProtectionPolicy", + "sns:GetEndpointAttributes", + "sns:GetSMSAttributes", + "sns:GetSMSSandboxAccountStatus", + "sns:GetSubscriptionAttributes", + "sns:List*", + "sqs:Get*", + "sqs:List*", + "ssm:GetCalendarState", + "ssm:GetCommandInvocation", + "ssm:GetConnectionStatus", + "ssm:GetDefaultPatchBaseline", + "ssm:GetDeployablePatchSnapshotForInstance", + "ssm:GetDocument", + "ssm:GetInventory", + "ssm:GetInventorySchema", + "ssm:GetMaintenanceWindow", + "ssm:GetMaintenanceWindowExecution", + "ssm:GetMaintenanceWindowExecutionTask", + "ssm:GetMaintenanceWindowExecutionTaskInvocation", + "ssm:GetMaintenanceWindowTask", + "ssm:GetManifest", + "ssm:GetOpsItem", + "ssm:GetOpsMetadata", + "ssm:GetOpsSummary", + "ssm:GetParameter", + "ssm:GetParameterHistory", + "ssm:GetParameters", + "ssm:GetParametersByPath", + "ssm:GetPatchBaseline", + "ssm:GetPatchBaselineForPatchGroup", + "ssm:GetResourcePolicies", + "ssm:GetServiceSetting", + "ssm:List*", + "states:Describe*", + "states:GetExecutionHistory", + "states:List*", + "sts:GetCallerIdentity", + "timestream:Describe*", + "timestream:List*", + "transfer:TestIdentityProvider", + "voiceid:ListDomains", + "waf-regional:GetByteMatchSet", + "waf-regional:GetChangeToken", + "waf-regional:GetChangeTokenStatus", + "waf-regional:GetGeoMatchSet", + "waf-regional:GetIPSet", + "waf-regional:GetLoggingConfiguration", + "waf-regional:GetPermissionPolicy", + "waf-regional:GetRateBasedRule", + "waf-regional:GetRegexMatchSet", + "waf-regional:GetRegexPatternSet", + "waf-regional:GetRule", + "waf-regional:GetRuleGroup", + "waf-regional:GetSampledRequests", + "waf-regional:GetSizeConstraintSet", + "waf-regional:GetSqlInjectionMatchSet", + "waf-regional:GetWebACLForResource", + "waf-regional:GetXssMatchSet", + "waf-regional:List*", + "waf:GetByteMatchSet", + "waf:GetChangeTokenStatus", + "waf:GetGeoMatchSet", + "waf:GetIPSet", + "waf:GetLoggingConfiguration", + "waf:GetPermissionPolicy", + "waf:GetRateBasedRule", + "waf:GetRegexMatchSet", + "waf:GetRegexPatternSet", + "waf:GetRule", + "waf:GetRuleGroup", + "waf:GetSampledRequests", + "waf:GetSizeConstraintSet", + "waf:GetSqlInjectionMatchSet", + "waf:GetXssMatchSet", + "waf:List*", + "wafv2:CheckCapacity", + "wafv2:Describe*", + "wafv2:GetIPSet", + "wafv2:GetLoggingConfiguration", + "wafv2:GetManagedRuleSet", + "wafv2:GetMobileSdkRelease", + "wafv2:GetPermissionPolicy", + "wafv2:GetRegexPatternSet", + "wafv2:GetRuleGroup", + "wafv2:GetSampledRequests", + "wafv2:GetWebACLForResource", + "wafv2:List*", + "wisdom:ListAssistants" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} diff --git a/variables.tf b/variables.tf index fb4551f..f9ec976 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,12 @@ variable "role_name" { description = "(optional) Role name to connect Cloudbase" } +variable "cspm_policy_prefix" { + type = string + default = "CloudbaseCSPMPolicy_" + description = "(optional) Policy name prefix to connect Cloudbase" +} + variable "allow_container_scan_permissions" { default = false description = "(optional) allow actions needed to scan container images. e.g) ecr:BatchGetImage"