-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add additional action permissions for Glue and Shield Advanced checks @lazize #995
Conversation
Allows the shield:GetSubscriptionState action
In addition to ./iam/prowler-additions-policy.json Would you mind to add it in those files as well? and if you add glue:GetSecurityConfiguration we can also close #988 :) Thanks! |
And |
./iam/create_role_to_assume_cfn.yaml
./iam/prowler-additions-policy.json
./util/codebuild/codebuild-prowler-audit-account-cfn.yaml
./util/terraform-kickstarter/main.tf
See below permission actions from all files above. File ./iam/create_role_to_assume_cfn.yaml Action:
- 'ds:ListAuthorizedApplications'
- 'ec2:GetEbsEncryptionByDefault'
- 'ecr:Describe*'
- 'support:Describe*'
- 'tag:GetTagKeys'
- 'lambda:GetFunction'
- 'glue:GetConnections'
- 's3:GetAccountPublicAccessBlock'
- 'shield:GetSubscriptionState' ./iam/prowler-additions-policy.json "Action": [
"ds:ListAuthorizedApplications",
"ec2:GetEbsEncryptionByDefault",
"ecr:Describe*",
"support:Describe*",
"tag:GetTagKeys",
"lambda:GetFunction",
"glue:GetConnections",
"glue:SearchTables",
"s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState",
"shield:DescribeProtection"
], ./util/codebuild/codebuild-prowler-audit-account-cfn.yaml - Action:
- s3:GetAccountPublicAccessBlock
- glue:GetConnections
- glue:SearchTables
- ds:ListAuthorizedApplications
- ec2:GetEbsEncryptionByDefault
- ecr:Describe*
- support:Describe*
- tag:GetTagKeys
- lambda:GetFunction
- shield:GetSubscriptionState
- shield:DescribeProtection ./util/terraform-kickstarter/main.tf Action = [
"s3:GetAccountPublicAccessBlock",
"glue:GetConnections",
"glue:SearchTables",
"ds:ListAuthorizedApplications",
"ec2:GetEbsEncryptionByDefault",
"ecr:Describe*",
"support:Describe*",
"tag:GetTagKeys",
"lambda:GetFunction",
"shield:GetSubscriptionState",
"shield:DescribeProtection"
] |
They all should be the same because are for the same purpose (11 lines). |
Make sure all files where permission actions are necessary will have the same actions
Awesome, great job @lazize! |
Allows the shield:GetSubscriptionState action
Fix #994
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.