fix: Replace custom in line policy with securityAudit policy

PaladinCloud · Mar 14, 2023 · 55b501d · 55b501d
1 parent 1408d10
commit 55b501d
Showing 1 changed file with 4 additions and 106 deletions.
diff --git a/installer/resources/iam/base_role.py b/installer/resources/iam/base_role.py
@@ -43,6 +43,10 @@ class BaseCloudWatchEventFullAcessPolicyAttach(iam.IAMRolePolicyAttachmentResour
     role = BaseRole.get_output_attr('name')
     policy_arn = "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess"
 
+class BaseSecurityAudit(iam.IAMRolePolicyAttachmentResource):
+    role = BaseRole.get_output_attr('name')
+    policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+
 
 class ECSTaskExecutionRolePolicyDocument(iam.IAMPolicyDocumentData):
     statement = [
@@ -76,112 +80,6 @@ class BaseECSTaskExecPolicyAttach(iam.IAMRolePolicyAttachmentResource):
     role = BaseRole.get_output_attr('name')
     policy_arn = ECSTaskExecutionRolePolicy.get_output_attr('arn')
 
-class PolicySpecificReadOnlyAccessPolicyDocument(iam.IAMPolicyDocumentData):
-    statement = [
-        {
-            "effect": "Allow",
-            "actions": [
-				"access-analyzer:ListAnalyzers",
-                "acm:DescribeCertificate",
-                "acm:ListCertificates",
-                "apigateway:GET",
-                "appflow:ListFlows",
-                "athena:ListQueryExecutions",
-                "autoscaling:DescribeAutoScalingGroups",
-                "autoscaling:DescribeLaunchConfigurations",
-                "autoscaling:DescribePolicies",
-                "backup:ListBackupVaults",
-                "cloudformation:DescribeStacks",
-                "cloudformation:ListStacks",
-                "cloudfront:GetDistributionConfig",
-                "cloudfront:ListDistributions",
-                "cloudtrail:DescribeTrails",
-                "cloudtrail:GetEventSelectors",
-                "cloudtrail:GetTrailStatus",
-                "cloudtrail:LookupEvents",
-                "cloudwatch:DescribeAlarms",
-                "comprehend:ListEntitiesDetectionJobs",
-                "dax:DescribeClusters",
-                "directconnect:Describe*",
-                "dms:DescribeReplicationInstances",
-                "dynamodb:Describe*",
-                "dynamodb:List*",
-                "ec2:Describe*",
-                "ecs:DescribeClusters",
-                "ecs:DescribeTaskDefinition",
-                "ecs:List*",
-                "eks:ListClusters",
-                "elasticache:Describe*",
-                "elasticache:List*",
-                "elasticfilesystem:DescribeFileSystems",
-                "elasticloadbalancing:DescribeListeners",
-                "elasticloadbalancing:DescribeLoadBalancerAttributes",
-                "elasticloadbalancing:DescribeLoadBalancers",
-                "elasticloadbalancing:DescribeRules",
-                "elasticloadbalancing:DescribeTags",
-                "elasticloadbalancing:DescribeTargetGroups",
-                "elasticloadbalancing:DescribeTargetHealth",
-                "elasticmapreduce:ListClusters",
-                "es:DescribeElasticsearchDomains",
-                "es:ListDomainNames",
-                "es:ListTags",
-                "firehose:DescribeDeliveryStream",
-                "firehose:ListDeliveryStreams",
-                "firehose:ListTagsForDeliveryStream",
-                "health:DescribeAffectedEntities",
-                "health:DescribeEventDetails",
-                "health:DescribeEvents",
-                "iam:GetAccessKeyLastUsed",
-                "iam:ListAccessKeys",
-                "iam:ListAttachedGroupPolicies",
-                "iam:ListGroups",
-                "iam:ListGroupsForUser",
-                "iam:ListMFADevices",
-                "iam:ListPolicies",
-                "iam:ListRoles",
-                "iam:ListServerCertificates",
-                "iam:ListUsers",
-                "kinesis:ListStreams",
-                "kinesisvideo:ListStreams",
-                "kms:DescribeKey",
-                "kms:GetKeyRotationStatus",
-                "kms:ListAliases",
-                "kms:ListKeys",
-                "kms:ListResourceTags",
-                "lambda:GetPolicy",
-                "lambda:List*",
-                "rds:Describe*",
-                "rds:List*",
-                "redshift:DescribeClusters",
-                "redshift:DescribeLoggingStatus",
-                "route53:List*",
-                "s3:GetBucketLocation",
-                "s3:GetBucketLogging",
-                "s3:GetBucketNotification",
-                "s3:GetBucketTagging",
-                "s3:ListAllMyBuckets",
-                "s3:PutBucketNotification",
-                "securityhub:DescribeHub",
-                "sns:List*",
-                "SNS:ListTopics",
-                "sqs:ListQueues",
-                "ssm:DescribeInstanceInformation"
-
-			],
-            "resources": ["*"]
-        }
-    ]
-
-
-class PaladinCloudReadOnlyAccessRolePolicy(iam.IAMRolePolicyResource):
-    name = "ReadOnlyAccessForAWSPolicies"
-    path = '/'
-    policy = PolicySpecificReadOnlyAccessPolicyDocument.get_output_attr('json')
-
-
-class PaladinCloudReadOnlyAccessPolicyAttach(iam.IAMRolePolicyAttachmentResource):
-    role = BaseRole.get_output_attr('name')
-    policy_arn = PaladinCloudReadOnlyAccessRolePolicy.get_output_attr('arn')
 
 
 class PaladinCognitoUserPoolFullAccessDocument(iam.IAMPolicyDocumentData):