Merge pull request #45 from cisagov/improvement/add-permissions-for-s…

…plunk Add permissions needed by the Splunk Add-on for AWS
cisagov · Apr 17, 2024 · 42dd9db · 42dd9db
2 parents 3af1b91 + 4b30f1e
commit 42dd9db
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/cloudwatch_for_cdm.tf b/cloudwatch_for_cdm.tf
@@ -32,6 +32,45 @@ data "aws_iam_policy_document" "allow_access_to_selected_cloudwatch_logs" {
       format("arn:aws:logs:%s:%d:log-group:%s:log-stream:%s", var.aws_region, local.sharedservices_account_id, group_and_stream[0], group_and_stream[1])
     ]
   }
+
+  # The following statements provide permissions needed by the Splunk Add-on
+  # for AWS to access the SQS queue and S3 bucket where the CDM CloudWatch log
+  # data is stored.  For more information, see:
+  # https://docs.splunk.com/Documentation/AddOns/released/AWS/SQS-basedS3
+  statement {
+    actions = [
+      "kms:Decrypt",
+      "sqs:ListQueues",
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_s3_bucket.cloudwatch.arn}/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "sqs:ChangeMessageVisibility",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+      "sqs:ReceiveMessage",
+      "sqs:SendMessage",
+    ]
+    effect = "Allow"
+    resources = [
+      aws_sqs_queue.cloudwatch_logs.arn,
+    ]
+  }
 }
 
 # Policy with the necessary permissions to access the CDM CloudWatch