feat(iam): update required permissions for privelege escalation

padok-team · Jan 9, 2023 · 43f44a6 · 43f44a6
1 parent 0140c08
commit 43f44a6
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/aws/iam/userElevationConst.go b/aws/iam/userElevationConst.go
@@ -18,16 +18,18 @@ var requiredPermissions = [][]string{
 	{"iam:UpdateAssumeRolePolicy", "sts:AssumeRole"},
 	{"iam:PassRole", "lambda:CreateFunction", "lambda:InvokeFunction"},
 	{"iam:PassRole", "lambda:CreateFunction", "lambda:AddPermission"},
-	{"iam:PassRole", "lambda:CreateFunction", "lambda:CreateEventSource"},
+	{"iam:PassRole", "lambda:CreateFunction", "lambda:CreateEventSourceMapping"},
 	{"lambda:UpdateFunctionCode"},
 	{"iam:PassRole", "glue:CreateDevEndpoint"},
 	{"glue:UpdateDevEndpoint"},
 	{"iam:PassRole", "cloudformation:CreateStack"},
-	{"iam:PassRole", "datapipeline:CreatePipeline", "datapipeline:PutPipeline"},
-	{"codestar:CreateProjectFromTemplate", "iam:PassRole"},
+	{"iam:PassRole", "datapipeline:CreatePipeline", "datapipeline:PutPipelineDefinition", "datapipeline:ActivatePipeline"},
+	{"codestar:CreateProjectFromTemplate"},
 	{"codestar:CreateProject", "iam:PassRole"},
 	{"codestar:CreateProject", "codeStar:AssociateTeamMember"},
 	{"lambda:UpdateFunctionConfiguration"},
 	{"sagemaker:CreateNotebookInstance", "sagemaker:CreatePresignedNotebookInstanceUrl", "iam:PassRole"},
 	{"sagemaker:CreatePresignedNotebookInstanceUrl"},
+	{"iam:PassRole", "glue:CreateJob"},
+	{"iam:PassRole", "glue:UpdateJob"},
 }