Merge branch 'master' of https://github.com/mattclay/aws-terminator i…

…nto ecs_policies
mattclay · Jun 7, 2022 · 4acd9dc · 4acd9dc
2 parents ba35199 + 225917a
commit 4acd9dc
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 21 deletions.
diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml
@@ -34,7 +34,6 @@ Statement:
       - wafv2:DeleteFirewallManagerRuleGroups
       - wafv2:DisassociateFirewallManager
       - wafv2:UpdateIPSet
-      - wafv2:TagResource
     Resource:
       - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*'
 
@@ -110,6 +109,9 @@ Statement:
       - waf:UpdateSqlInjectionMatchSet
       - waf:UpdateWebACL
       - waf:UpdateXssMatchSet
+      - wafv2:ListTagsForResource
+      - wafv2:TagResource
+      - wafv2:UntagResource
     Resource: "*"
     Condition:
       StringEquals:

diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml
@@ -114,13 +114,6 @@ Statement:
       - elasticloadbalancing:ModifyTargetGroupAttributes
       - elasticloadbalancing:ModifyRule
       - elasticloadbalancing:SetIpAddressType
-      - ecs:Describe*
-      - ecs:List*
-      - ecs:TagResource
-      - ecs:UntagResource
-      - ecs:PutAccountSetting
-      - ecs:RegisterTaskDefinition
-      - ecs:DeregisterTaskDefinition
     Resource:
       - "*"
 
@@ -131,19 +124,10 @@ Statement:
       - ec2:CreateVolume
       - elasticloadbalancing:CreateLoadBalancer
       - elasticloadbalancing:CreateRule
-      - ecs:RunTask
-      - ecs:StartTask
-      - ecs:StopTask
-      - ecs:DeleteCluster
-      - ecs:CreateService
-      - ecs:DeleteService
-      - ecs:UpdateService
-      - ecs:UpdateCluster
     Resource:
       - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*'
       - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:*'
       - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup*'
-      - 'arn:aws:ecs:{{ aws_region }}:{{ aws_account_id }}:*'
 
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow

diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml
@@ -21,11 +21,14 @@ Statement:
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow
     Action:
+      - dms:AddTagsToResource
       - dms:CreateReplicationSubnetGroup
       - dms:DeleteEndpoint
-      - dms:ModifyEndpoint
       - dms:DeleteReplicationSubnetGroup
+      - dms:ListTagsForResource
+      - dms:ModifyEndpoint
       - dms:ModifyReplicationSubnetGroup
+      - dms:RemoveTagsFromResource
       - dynamodb:CreateTable
       - dynamodb:DeleteItem
       - dynamodb:DeleteTable
@@ -105,7 +108,9 @@ Statement:
       - rds:RestoreDBClusterFromSnapshot
       - rds:RestoreDBClusterFromS3
       - rds:PromoteReadReplicaDBCluster
+      - rds:CopyDBClusterSnapshot
     Resource:
+      - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:endpoint:*'
       - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*'
       - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*'

diff --git a/aws/policy/paas.yaml b/aws/policy/paas.yaml
@@ -116,13 +116,13 @@ Statement:
       StringLike:
         lambda:FunctionArn:
           - arn:aws:lambda:{{ aws_region }}:{{ aws_account_id }}:function:*
-  
+
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
       - ecs:CreateCluster
     Resource: "*"
-  
+
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
@@ -135,7 +135,7 @@ Statement:
       - ecs:DeregisterTaskDefinition
     Resource:
       - "*"
-  
+
   - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action: