diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml index e42f56c9..c09055c7 100644 --- a/aws/policy/application-security.yaml +++ b/aws/policy/application-security.yaml @@ -34,7 +34,6 @@ Statement: - wafv2:DeleteFirewallManagerRuleGroups - wafv2:DisassociateFirewallManager - wafv2:UpdateIPSet - - wafv2:TagResource Resource: - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*' @@ -110,6 +109,9 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet + - wafv2:ListTagsForResource + - wafv2:TagResource + - wafv2:UntagResource Resource: "*" Condition: StringEquals: diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml index 639953de..3aef53ee 100644 --- a/aws/policy/data-services.yaml +++ b/aws/policy/data-services.yaml @@ -21,11 +21,14 @@ Statement: - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees Effect: Allow Action: + - dms:AddTagsToResource - dms:CreateReplicationSubnetGroup - dms:DeleteEndpoint - - dms:ModifyEndpoint - dms:DeleteReplicationSubnetGroup + - dms:ListTagsForResource + - dms:ModifyEndpoint - dms:ModifyReplicationSubnetGroup + - dms:RemoveTagsFromResource - dynamodb:CreateTable - dynamodb:DeleteItem - dynamodb:DeleteTable @@ -105,7 +108,9 @@ Statement: - rds:RestoreDBClusterFromSnapshot - rds:RestoreDBClusterFromS3 - rds:PromoteReadReplicaDBCluster + - rds:CopyDBClusterSnapshot Resource: + - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:endpoint:*' - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*' - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*' - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*'