diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml index e42f56c9..c09055c7 100644 --- a/aws/policy/application-security.yaml +++ b/aws/policy/application-security.yaml @@ -34,7 +34,6 @@ Statement: - wafv2:DeleteFirewallManagerRuleGroups - wafv2:DisassociateFirewallManager - wafv2:UpdateIPSet - - wafv2:TagResource Resource: - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*' @@ -110,6 +109,9 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet + - wafv2:ListTagsForResource + - wafv2:TagResource + - wafv2:UntagResource Resource: "*" Condition: StringEquals: diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index b8caa119..9044640d 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -114,13 +114,6 @@ Statement: - elasticloadbalancing:ModifyTargetGroupAttributes - elasticloadbalancing:ModifyRule - elasticloadbalancing:SetIpAddressType - - ecs:Describe* - - ecs:List* - - ecs:TagResource - - ecs:UntagResource - - ecs:PutAccountSetting - - ecs:RegisterTaskDefinition - - ecs:DeregisterTaskDefinition Resource: - "*" @@ -131,19 +124,10 @@ Statement: - ec2:CreateVolume - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateRule - - ecs:RunTask - - ecs:StartTask - - ecs:StopTask - - ecs:DeleteCluster - - ecs:CreateService - - ecs:DeleteService - - ecs:UpdateService - - ecs:UpdateCluster Resource: - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*' - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup*' - - 'arn:aws:ecs:{{ aws_region }}:{{ aws_account_id }}:*' - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees Effect: Allow diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml index 639953de..3aef53ee 100644 --- a/aws/policy/data-services.yaml +++ b/aws/policy/data-services.yaml @@ -21,11 +21,14 @@ Statement: - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees Effect: Allow Action: + - dms:AddTagsToResource - dms:CreateReplicationSubnetGroup - dms:DeleteEndpoint - - dms:ModifyEndpoint - dms:DeleteReplicationSubnetGroup + - dms:ListTagsForResource + - dms:ModifyEndpoint - dms:ModifyReplicationSubnetGroup + - dms:RemoveTagsFromResource - dynamodb:CreateTable - dynamodb:DeleteItem - dynamodb:DeleteTable @@ -105,7 +108,9 @@ Statement: - rds:RestoreDBClusterFromSnapshot - rds:RestoreDBClusterFromS3 - rds:PromoteReadReplicaDBCluster + - rds:CopyDBClusterSnapshot Resource: + - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:endpoint:*' - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*' - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*' - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*' diff --git a/aws/policy/paas.yaml b/aws/policy/paas.yaml index cf775775..ff68c75b 100644 --- a/aws/policy/paas.yaml +++ b/aws/policy/paas.yaml @@ -116,13 +116,13 @@ Statement: StringLike: lambda:FunctionArn: - arn:aws:lambda:{{ aws_region }}:{{ aws_account_id }}:function:* - + - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees Effect: Allow Action: - ecs:CreateCluster Resource: "*" - + - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: @@ -135,7 +135,7 @@ Statement: - ecs:DeregisterTaskDefinition Resource: - "*" - + - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees Effect: Allow Action: