Merge pull request #711 from udondan/update-aws-managed-policies

udondan · May 18, 2024 · 571c0c6 · 571c0c6
2 parents f0d7929 + fe36fdf
commit 571c0c6
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 0 deletions.
diff --git a/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json
@@ -100,7 +100,10 @@
         "iam:GetUserPolicy",
         "iam:GetAccountPasswordPolicy",
         "iam:GetAccountSummary",
+        "iam:ListAttachedGroupPolicies",
+        "iam:ListAttachedUserPolicies",
         "iam:ListEntitiesForPolicy",
+        "iam:ListGroupsForUser",
         "iam:ListGroupPolicies",
         "iam:ListGroups",
         "iam:ListOpenIdConnectProviders",
@@ -139,6 +142,7 @@
         "es:DescribeDomains",
         "es:DescribeDomain",
         "es:DescribeDomainConfig",
+        "es:ListDomainNames",
         "organizations:DescribeOrganization",
         "organizations:DescribePolicy",
         "rds:DescribeCertificates",
@@ -209,6 +213,7 @@
         "apigateway:GET"
       ],
       "Resource": [
+        "arn:aws:apigateway:*::/restapis",
         "arn:aws:apigateway:*::/restapis/*/stages/*",
         "arn:aws:apigateway:*::/restapis/*/stages"
       ],

diff --git a/docs/source/_static/managed-policies/AWSBackupServiceLinkedRolePolicyForBackup.json b/docs/source/_static/managed-policies/AWSBackupServiceLinkedRolePolicyForBackup.json
@@ -326,6 +326,19 @@
       "Resource": [
         "arn:aws:cloudformation:*:*:stack/*"
       ]
+    },
+    {
+      "Sid": "RecoveryPointTaggingPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "backup:TagResource"
+      ],
+      "Resource": "arn:aws:backup:*:*:recovery-point:*",
+      "Condition": {
+        "StringEquals": {
+          "aws:PrincipalAccount": "${aws:ResourceAccount}"
+        }
+      }
     }
   ]
 }
diff --git a/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json b/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json
@@ -458,6 +458,19 @@
         "ssm-sap:ListTagsForResource"
       ],
       "Resource": "arn:aws:ssm-sap:*:*:*"
+    },
+    {
+      "Sid": "RecoveryPointTaggingPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "backup:TagResource"
+      ],
+      "Resource": "arn:aws:backup:*:*:recovery-point:*",
+      "Condition": {
+        "StringEquals": {
+          "aws:PrincipalAccount": "${aws:ResourceAccount}"
+        }
+      }
     }
   ]
 }
diff --git a/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForS3Backup.json b/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForS3Backup.json
@@ -2,11 +2,13 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "CloudWatchGetMetricDataPermissions",
       "Effect": "Allow",
       "Action": "cloudwatch:GetMetricData",
       "Resource": "*"
     },
     {
+      "Sid": "EventBridgePermissionsForAwsBackupManagedRule",
       "Effect": "Allow",
       "Action": [
         "events:DeleteRule",
@@ -23,11 +25,13 @@
       ]
     },
     {
+      "Sid": "EventBridgeListRulesPermissions",
       "Effect": "Allow",
       "Action": "events:ListRules",
       "Resource": "*"
     },
     {
+      "Sid": "KmsPermissions",
       "Effect": "Allow",
       "Action": [
         "kms:Decrypt",
@@ -41,6 +45,7 @@
       }
     },
     {
+      "Sid": "S3BucketPermissions",
       "Effect": "Allow",
       "Action": [
         "s3:GetBucketTagging",
@@ -57,6 +62,7 @@
       "Resource": "arn:aws:s3:::*"
     },
     {
+      "Sid": "S3ObjectPermissions",
       "Effect": "Allow",
       "Action": [
         "s3:GetObjectAcl",
@@ -69,9 +75,23 @@
       "Resource": "arn:aws:s3:::*/*"
     },
     {
+      "Sid": "S3ListBucketPermissions",
       "Effect": "Allow",
       "Action": "s3:ListAllMyBuckets",
       "Resource": "*"
+    },
+    {
+      "Sid": "RecoveryPointTaggingPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "backup:TagResource"
+      ],
+      "Resource": "arn:aws:backup:*:*:recovery-point:*",
+      "Condition": {
+        "StringEquals": {
+          "aws:PrincipalAccount": "${aws:ResourceAccount}"
+        }
+      }
     }
   ]
 }
diff --git a/docs/source/_static/managed-policies/CloudWatchFullAccessV2.json b/docs/source/_static/managed-policies/CloudWatchFullAccessV2.json
@@ -6,6 +6,7 @@
       "Effect": "Allow",
       "Action": [
         "application-autoscaling:DescribeScalingPolicies",
+        "application-signals:*",
         "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribePolicies",
         "cloudwatch:*",

diff --git a/docs/source/_static/managed-policies/CloudWatchReadOnlyAccess.json b/docs/source/_static/managed-policies/CloudWatchReadOnlyAccess.json
@@ -6,6 +6,9 @@
       "Effect": "Allow",
       "Action": [
         "application-autoscaling:DescribeScalingPolicies",
+        "application-signals:BatchGet*",
+        "application-signals:Get*",
+        "application-signals:List*",
         "autoscaling:Describe*",
         "cloudwatch:BatchGet*",
         "cloudwatch:Describe*",
@@ -42,6 +45,12 @@
         "oam:ListAttachedLinks"
       ],
       "Resource": "arn:aws:oam:*:*:sink/*"
+    },
+    {
+      "Sid": "CloudWatchReadOnlyGetRolePermissions",
+      "Effect": "Allow",
+      "Action": "iam:GetRole",
+      "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
     }
   ]
 }