From 34dea77ea806e52f0a535e0d9cf1a9a83f38b7fb Mon Sep 17 00:00:00 2001
From: Francesco Rossi <90578034+rossifrancesco@users.noreply.github.com>
Date: Tue, 23 Sep 2025 08:26:15 +0200
Subject: [PATCH] fix(cloudwatch-metrics-stream): add S3 permissions back to
 cloud_monitoring_policy

---
 README.md                                      | 10 +++++++++-
 modules/cloud-watch-metrics-stream/iam_data.tf | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 89d866d..0c9c967 100644
--- a/README.md
+++ b/README.md
@@ -36,12 +36,20 @@ Sysdig requires AWS IAM permissions to display the correct status and metadata f
 			"Action": "ec2:DescribeInstances",
 			"Effect": "Allow",
 			"Resource": "*"
+		},
+        {
+			"Action": [
+				"s3:ListBucket",
+				"s3:ListAllMyBuckets"
+			],
+			"Effect": "Allow",
+			"Resource": "*"
 		}
 	]
 }
 ```
 
-## IAM Permissions for Sysdig Cross-Account Role - Cloudwatch Metrics Stream
+## IAM Permissions for Sysdig Cross-Account Role - Cost Advisor private billing integration
 Sysdig requires AWS IAM permissions to fetch billing data and metadata for the Private Billing integration. If `create_new_role` is set to `true`, the following IAM permissions are granted to an IAM Role..
 
 ```
diff --git a/modules/cloud-watch-metrics-stream/iam_data.tf b/modules/cloud-watch-metrics-stream/iam_data.tf
index 43ca633..8e9ef83 100644
--- a/modules/cloud-watch-metrics-stream/iam_data.tf
+++ b/modules/cloud-watch-metrics-stream/iam_data.tf
@@ -101,4 +101,14 @@ data "aws_iam_policy_document" "iam_role_task_policy_cloud_monitoring_policy" {
         ]
     }
 
+    statement {
+        effect = "Allow"
+        actions = [
+            "s3:ListAllMyBuckets",
+            "s3:ListBucket"
+        ]
+        resources = [
+            "*"
+        ]
+    }
 }
\ No newline at end of file