Update detected

zoph-io · Aug 6, 2024 · 631093f · 631093f
1 parent 6e68dde
commit 631093f
Show file tree

Hide file tree

Showing 4 changed files with 174 additions and 12 deletions.
diff --git a/policies/AWSSSMForSAPServiceLinkedRolePolicy b/policies/AWSSSMForSAPServiceLinkedRolePolicy
@@ -119,7 +119,7 @@
                     "Sid": "CreateServiceLinkedRole",
                     "Effect": "Allow",
                     "Action": "iam:CreateServiceLinkedRole",
-                    "Resource": "arn:*:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry",
+                    "Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry",
                     "Condition": {
                         "StringEquals": {
                             "iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com"
@@ -273,11 +273,69 @@
                             "ec2:resourceTag/SSMForSAPManaged": "True"
                         }
                     }
+                },
+                {
+                    "Sid": "SsmSapResourceGroup",
+                    "Effect": "Allow",
+                    "Action": [
+                        "resource-groups:Tag",
+                        "resource-groups:CreateGroup"
+                    ],
+                    "Resource": "arn:aws:resource-groups:*:*:group/SystemsManagerForSAP-*",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:RequestTag/SSMForSAPCreated": "True"
+                        },
+                        "ArnLike": {
+                            "aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*"
+                        },
+                        "ForAllValues:StringEquals": {
+                            "aws:TagKeys": [
+                                "SSMForSAPCreated",
+                                "awsApplication"
+                            ]
+                        }
+                    }
+                },
+                {
+                    "Sid": "ManageSsmSapTagsOnEc2Instances",
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:CreateTags",
+                        "ec2:DeleteTags"
+                    ],
+                    "Resource": "arn:aws:ec2:*:*:instance/*",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:ResourceTag/SSMForSAPManaged": "True"
+                        },
+                        "ForAllValues:StringLike": {
+                            "aws:TagKeys": [
+                                "SystemsManagerForSAP-*"
+                            ]
+                        }
+                    }
+                },
+                {
+                    "Sid": "ManageSsmSapTagsOnEbsVolumes",
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:CreateTags",
+                        "ec2:DeleteTags"
+                    ],
+                    "Resource": "arn:aws:ec2:*:*:volume/*",
+                    "Condition": {
+                        "ForAllValues:StringLike": {
+                            "aws:TagKeys": [
+                                "SystemsManagerForSAP-*"
+                            ]
+                        }
+                    }
                 }
             ]
         },
-        "VersionId": "v7",
+        "VersionId": "v8",
         "IsDefaultVersion": true,
-        "CreateDate": "2024-04-11T18:31:07+00:00"
+        "CreateDate": "2024-08-05T22:40:26+00:00"
     }
 }
diff --git a/policies/AWSSupportServiceRolePolicy b/policies/AWSSupportServiceRolePolicy
@@ -86,6 +86,8 @@
                         "access-analyzer:listArchiveRules",
                         "access-analyzer:listFindings",
                         "access-analyzer:listPolicyGenerations",
+                        "account:getRegionOptStatus",
+                        "account:listRegions",
                         "acm-pca:describeCertificateAuthority",
                         "acm-pca:describeCertificateAuthorityAuditReport",
                         "acm-pca:getCertificate",
@@ -261,6 +263,7 @@
                         "autoscaling:describeScalingActivities",
                         "autoscaling:describeScalingProcessTypes",
                         "autoscaling:describeScheduledActions",
+                        "autoscaling:describeTrafficSources",
                         "autoscaling:describeTags",
                         "autoscaling:describeTerminationPolicyTypes",
                         "autoscaling:describeWarmPool",
@@ -320,6 +323,28 @@
                         "batch:describeJobQueues",
                         "batch:describeJobs",
                         "batch:listJobs",
+                        "bedrock:getAgent",
+                        "bedrock:getAgentActionGroup",
+                        "bedrock:getAgentAlias",
+                        "bedrock:getAgentKnowledgeBase",
+                        "bedrock:getAgentVersion",
+                        "bedrock:getCustomModel",
+                        "bedrock:getDataSource",
+                        "bedrock:getIngestionJob",
+                        "bedrock:getKnowledgeBase",
+                        "bedrock:getModelCustomizationJob",
+                        "bedrock:getModelInvocationLoggingConfiguration",
+                        "bedrock:listAgentActionGroups",
+                        "bedrock:listAgentAliases",
+                        "bedrock:listAgentKnowledgeBases",
+                        "bedrock:listAgents",
+                        "bedrock:listAgentVersions",
+                        "bedrock:listCustomModels",
+                        "bedrock:listDataSources",
+                        "bedrock:listIngestionJobs",
+                        "bedrock:listKnowledgeBases",
+                        "bedrock:listModelCustomizationJobs",
+                        "bedrock:listProvisionedModelThroughputs",
                         "braket:getDevice",
                         "braket:getQuantumTask",
                         "braket:searchDevices",
@@ -521,6 +546,18 @@
                         "codecommit:getRepositoryTriggers",
                         "codecommit:listBranches",
                         "codecommit:listRepositories",
+                        "codeconnections:getConnection",
+                        "codeconnections:getHost",
+                        "codeconnections:getRepositoryLink",
+                        "codeconnections:getRepositorySyncStatus",
+                        "codeconnections:getResourceSyncStatus",
+                        "codeconnections:getSyncBlockerSummary",
+                        "codeconnections:getSyncConfiguration",
+                        "codeconnections:listConnections",
+                        "codeconnections:listHosts",
+                        "codeconnections:listRepositoryLinks",
+                        "codeconnections:listRepositorySyncDefinitions",
+                        "codeconnections:listSyncConfigurations",
                         "codedeploy:batchGetApplicationRevisions",
                         "codedeploy:batchGetApplications",
                         "codedeploy:batchGetDeploymentGroups",
@@ -748,6 +785,23 @@
                         "dax:describeParameterGroups",
                         "dax:describeParameters",
                         "dax:describeSubnetGroups",
+                        "deadline:listAvailableMeteredProducts",
+                        "deadline:listBudgets",
+                        "deadline:listFarmMembers",
+                        "deadline:listFarms",
+                        "deadline:listFleetMembers",
+                        "deadline:listFleets",
+                        "deadline:listJobMembers",
+                        "deadline:listJobs",
+                        "deadline:listLicenseEndpoints",
+                        "deadline:listMeteredProducts",
+                        "deadline:listMonitors",
+                        "deadline:listQueueEnvironments",
+                        "deadline:listQueueFleetAssociations",
+                        "deadline:listQueueMembers",
+                        "deadline:listQueues",
+                        "deadline:listStorageProfiles",
+                        "deadline:listWorkers",
                         "detective:getMembers",
                         "detective:listGraphs",
                         "detective:listInvitations",
@@ -963,6 +1017,7 @@
                         "ec2:describeSecurityGroups",
                         "ec2:describeSnapshotAttribute",
                         "ec2:describeSnapshots",
+                        "ec2:describeSnapshotTierStatus",
                         "ec2:describeSpotDatafeedSubscription",
                         "ec2:describeSpotFleetInstances",
                         "ec2:describeSpotFleetRequestHistory",
@@ -1008,6 +1063,7 @@
                         "ec2:describeVpnGateways",
                         "ec2:getAssociatedIpv6PoolCidrs",
                         "ec2:getCapacityReservationUsage",
+                        "ec2:getSubnetCidrReservations",
                         "ec2:getCoipPoolUsage",
                         "ec2:getConsoleOutput",
                         "ec2:getConsoleScreenshot",
@@ -1086,6 +1142,8 @@
                         "eks:describeFargateProfile",
                         "eks:describeIdentityProviderConfig",
                         "eks:describeNodegroup",
+                        "eks:describePodIdentityAssociation",
+                        "eks:listPodIdentityAssociations",
                         "eks:describeUpdate",
                         "eks:listAccessEntries",
                         "eks:listAccessPolicies",
@@ -1151,6 +1209,9 @@
                         "elasticloadbalancing:describeLoadBalancerPolicies",
                         "elasticloadbalancing:describeLoadBalancerPolicyTypes",
                         "elasticloadbalancing:describeLoadBalancers",
+                        "elasticloadbalancing:describeTrustStores",
+                        "elasticloadbalancing:describeTrustStoreAssociations",
+                        "elasticloadbalancing:describeTrustStoreRevocations",
                         "elasticloadbalancing:describeRules",
                         "elasticloadbalancing:describeSSLPolicies",
                         "elasticloadbalancing:describeTags",
@@ -1281,6 +1342,7 @@
                         "forecast:listForecastExportJobs",
                         "forecast:listForecasts",
                         "forecast:listPredictors",
+                        "freetier:getFreeTierUsage",
                         "fsx:describeBackups",
                         "fsx:describeDataRepositoryAssociations",
                         "fsx:describeDataRepositoryTasks",
@@ -1574,6 +1636,8 @@
                         "inspector2:batchGetAccountStatus",
                         "inspector2:batchGetFreeTrialInfo",
                         "inspector2:describeOrganizationConfiguration",
+                        "inspector2:getConfiguration",
+                        "inspector2:getEc2DeepInspectionConfiguration",
                         "inspector2:getDelegatedAdminAccount",
                         "inspector2:getMember",
                         "inspector2:getSbomExport",
@@ -2230,6 +2294,12 @@
                         "opsworks:getHostnameSuggestion",
                         "organizations:listAccounts",
                         "organizations:listTagsForResource",
+                        "osis:getPipeline",
+                        "osis:getPipelineBlueprint",
+                        "osis:getPipelineChangeProgress",
+                        "osis:listPipelineBlueprints",
+                        "osis:listPipelines",
+                        "osis:validatePipeline",
                         "outposts:getCatalogItem",
                         "outposts:getConnection",
                         "outposts:getOrder",
@@ -3284,6 +3354,8 @@
                         "workspaces-web:listUserSettings",
                         "workspaces:describeAccount",
                         "workspaces:describeAccountModifications",
+                        "workspaces:describeApplicationAssociations",
+                        "workspaces:describeWorkspaceAssociations",
                         "workspaces:describeIpGroups",
                         "workspaces:describeTags",
                         "workspaces:describeWorkspaceBundles",
@@ -3295,7 +3367,13 @@
                         "xray:getGroup",
                         "xray:getGroups",
                         "xray:getSamplingRules",
-                        "xray:listResourcePolicies"
+                        "xray:listResourcePolicies",
+                        "xray:getInsightImpactGraph",
+                        "xray:getSamplingStatisticSummaries",
+                        "xray:getSamplingTargets",
+                        "xray:getServiceGraph",
+                        "xray:getTimeSeriesServiceStatistics",
+                        "xray:getTraceGraph"
                     ],
                     "Effect": "Allow",
                     "Resource": [
@@ -3305,8 +3383,8 @@
             ],
             "Version": "2012-10-17"
         },
-        "VersionId": "v36",
+        "VersionId": "v37",
         "IsDefaultVersion": true,
-        "CreateDate": "2024-05-02T02:47:48+00:00"
+        "CreateDate": "2024-08-05T23:34:50+00:00"
     }
 }
diff --git a/policies/AwsGlueSessionUserRestrictedPolicy b/policies/AwsGlueSessionUserRestrictedPolicy
@@ -23,6 +23,20 @@
                         }
                     }
                 },
+                {
+                    "Sid": "AllowGlueTaggingAction",
+                    "Effect": "Allow",
+                    "Action": [
+                        "glue:TagResource"
+                    ],
+                    "Resource": "arn:aws:glue:*:*:session/*",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:ResourceTag/owner": "${aws:userid}",
+                            "aws:RequestTag/owner": "${aws:userid}"
+                        }
+                    }
+                },
                 {
                     "Sid": "AllowCompletionActions",
                     "Effect": "Allow",
@@ -69,7 +83,6 @@
                     "Sid": "DenyTagActions",
                     "Effect": "Deny",
                     "Action": [
-                        "glue:TagResource",
                         "glue:UntagResource",
                         "tag:TagResources",
                         "tag:UntagResources"
@@ -104,8 +117,8 @@
                 }
             ]
         },
-        "VersionId": "v2",
+        "VersionId": "v3",
         "IsDefaultVersion": true,
-        "CreateDate": "2024-04-29T22:45:28+00:00"
+        "CreateDate": "2024-08-05T23:06:45+00:00"
     }
 }
diff --git a/policies/AwsGlueSessionUserRestrictedServiceRole b/policies/AwsGlueSessionUserRestrictedServiceRole
@@ -55,6 +55,20 @@
                         }
                     }
                 },
+                {
+                    "Sid": "AllowGlueTaggingAction",
+                    "Effect": "Allow",
+                    "Action": [
+                        "glue:TagResource"
+                    ],
+                    "Resource": "arn:aws:glue:*:*:session/*",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:ResourceTag/owner": "${aws:userid}",
+                            "aws:RequestTag/owner": "${aws:userid}"
+                        }
+                    }
+                },
                 {
                     "Sid": "AllowStatementActions",
                     "Effect": "Allow",
@@ -90,7 +104,6 @@
                     "Sid": "DenyTagActions",
                     "Effect": "Deny",
                     "Action": [
-                        "glue:TagResource",
                         "glue:UntagResource",
                         "tag:TagResources",
                         "tag:UntagResources"
@@ -173,8 +186,8 @@
                 }
             ]
         },
-        "VersionId": "v2",
+        "VersionId": "v3",
         "IsDefaultVersion": true,
-        "CreateDate": "2024-04-29T22:51:39+00:00"
+        "CreateDate": "2024-08-05T23:14:07+00:00"
     }
 }