Add additional action permissions for Glue and Shield Advanced checks @lazize

[lazize]

Allows the shield:GetSubscriptionState action

Fix #994

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[toniblyx]

In addition to iam/create_role_to_assume_cfn.yaml there are other files that require that change:

./iam/prowler-additions-policy.json
./util/codebuild/codebuild-prowler-audit-account-cfn.yaml
./util/terraform-kickstarter/main.tf

Would you mind to add it in those files as well? and if you add glue:GetSecurityConfiguration we can also close #988 :)

Thanks!

[toniblyx]

And shield:DescribeProtection is also required.

[lazize]

shield:Describe* is already covered by managed policy SecurityAudit, so it should not be necessary to add it explicit.

./iam/create_role_to_assume_cfn.yaml

• Missing glue:GetSecurityConfiguration, will add it
• Added shield:GetSubscriptionState on previews commit

./iam/prowler-additions-policy.json

• Missing glue:GetSecurityConfiguration, will add it
• Already has shield:GetSubscriptionState

./util/codebuild/codebuild-prowler-audit-account-cfn.yaml

• Missing glue:GetSecurityConfiguration, will add it
• Already has shield:GetSubscriptionState

./util/terraform-kickstarter/main.tf

• Missing glue:GetSecurityConfiguration, will add it
• Already has shield:GetSubscriptionState

---

See below permission actions from all files above.
As you can see they don't match exactly, should they?

File ./iam/prowler-additions-policy.json has action glue:SearchTables which doesn't exist on others.

./iam/create_role_to_assume_cfn.yaml

              Action:
                - 'ds:ListAuthorizedApplications'
                - 'ec2:GetEbsEncryptionByDefault'
                - 'ecr:Describe*'
                - 'support:Describe*'
                - 'tag:GetTagKeys'
                - 'lambda:GetFunction'
                - 'glue:GetConnections'
                - 's3:GetAccountPublicAccessBlock'
                - 'shield:GetSubscriptionState'

./iam/prowler-additions-policy.json

            "Action": [
                "ds:ListAuthorizedApplications",
                "ec2:GetEbsEncryptionByDefault",
                "ecr:Describe*",
                "support:Describe*",
                "tag:GetTagKeys",
                "lambda:GetFunction",
                "glue:GetConnections",
                "glue:SearchTables",
                "s3:GetAccountPublicAccessBlock",
                "shield:GetSubscriptionState",
                "shield:DescribeProtection"
            ],

./util/codebuild/codebuild-prowler-audit-account-cfn.yaml

              - Action:
                  - s3:GetAccountPublicAccessBlock
                  - glue:GetConnections
                  - glue:SearchTables
                  - ds:ListAuthorizedApplications
                  - ec2:GetEbsEncryptionByDefault
                  - ecr:Describe*
                  - support:Describe*
                  - tag:GetTagKeys
                  - lambda:GetFunction
                  - shield:GetSubscriptionState
                  - shield:DescribeProtection

./util/terraform-kickstarter/main.tf

        Action =  [
                  "s3:GetAccountPublicAccessBlock",
                  "glue:GetConnections",
                  "glue:SearchTables",
                  "ds:ListAuthorizedApplications",
                  "ec2:GetEbsEncryptionByDefault",
                  "ecr:Describe*",
                  "support:Describe*",
                  "tag:GetTagKeys",
                  "lambda:GetFunction",
                  "shield:GetSubscriptionState",
                  "shield:DescribeProtection"
                  ]

[toniblyx]

They all should be the same because are for the same purpose (11 lines).

[toniblyx]

Awesome, great job @lazize!