From 8c96adb3f0e29bc750e969082dd9fa93b914918e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 1 Jun 2022 13:44:08 +0200 Subject: [PATCH 1/3] Add policy for rds_cluster_snapshot copy_rds_cluster_snapshot Signed-off-by: Alina Buzachis --- aws/policy/data-services.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml index 639953de..cce8a911 100644 --- a/aws/policy/data-services.yaml +++ b/aws/policy/data-services.yaml @@ -105,6 +105,7 @@ Statement: - rds:RestoreDBClusterFromSnapshot - rds:RestoreDBClusterFromS3 - rds:PromoteReadReplicaDBCluster + - rds:CopyDBClusterSnapshot Resource: - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*' - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*' From bd424fc0763a098f7e86035ef4334297c810184f Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 3 Jun 2022 11:15:54 +0200 Subject: [PATCH 2/3] Add WAFv2 tagging permissions --- aws/policy/application-security.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml index e42f56c9..c09055c7 100644 --- a/aws/policy/application-security.yaml +++ b/aws/policy/application-security.yaml @@ -34,7 +34,6 @@ Statement: - wafv2:DeleteFirewallManagerRuleGroups - wafv2:DisassociateFirewallManager - wafv2:UpdateIPSet - - wafv2:TagResource Resource: - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*' @@ -110,6 +109,9 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet + - wafv2:ListTagsForResource + - wafv2:TagResource + - wafv2:UntagResource Resource: "*" Condition: StringEquals: From 45e34bfc0a5c6424cefb13332dde08e1027af7eb Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Mon, 6 Jun 2022 16:11:38 +0200 Subject: [PATCH 3/3] Add support for tagging DMS Endpoints --- aws/policy/data-services.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml index cce8a911..3aef53ee 100644 --- a/aws/policy/data-services.yaml +++ b/aws/policy/data-services.yaml @@ -21,11 +21,14 @@ Statement: - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees Effect: Allow Action: + - dms:AddTagsToResource - dms:CreateReplicationSubnetGroup - dms:DeleteEndpoint - - dms:ModifyEndpoint - dms:DeleteReplicationSubnetGroup + - dms:ListTagsForResource + - dms:ModifyEndpoint - dms:ModifyReplicationSubnetGroup + - dms:RemoveTagsFromResource - dynamodb:CreateTable - dynamodb:DeleteItem - dynamodb:DeleteTable @@ -107,6 +110,7 @@ Statement: - rds:PromoteReadReplicaDBCluster - rds:CopyDBClusterSnapshot Resource: + - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:endpoint:*' - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*' - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*' - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*'