From a5cd972c29e185e81d50e4eb5733fc8212003f0b Mon Sep 17 00:00:00 2001 From: Agasthi Kothurkar Date: Mon, 29 Jul 2024 22:55:29 +0000 Subject: [PATCH] IAM permissions required for the Prowler v4 scans --- 1-sat2-member-roles.yaml | 5 +++++ 2-sat2-codebuild-prowler.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/1-sat2-member-roles.yaml b/1-sat2-member-roles.yaml index 22e0807..c3ac9a0 100644 --- a/1-sat2-member-roles.yaml +++ b/1-sat2-member-roles.yaml @@ -54,11 +54,15 @@ Resources: - cloudtrail:GetInsightSelectors - codeartifact:List* - codebuild:BatchGet* + - cognito-idp:GetUserPoolMfaConfig + - dlm:Get* - drs:Describe* - ds:Get* - ds:Describe* - ds:List* + - dynamodb:GetResourcePolicy - ec2:GetEbsEncryptionByDefault + - ec2:GetInstanceMetadataDefaults - ecr:Describe* - ecr:GetRegistryScanningConfiguration - elasticfilesystem:DescribeBackupPolicy @@ -66,6 +70,7 @@ Resources: - glue:GetSecurityConfiguration* - glue:SearchTables - lambda:GetFunction* + - lightsail:GetRelationalDatabases - logs:FilterLogEvents - macie2:GetMacieSession - s3:GetAccountPublicAccessBlock diff --git a/2-sat2-codebuild-prowler.yaml b/2-sat2-codebuild-prowler.yaml index b602c7f..22b646b 100644 --- a/2-sat2-codebuild-prowler.yaml +++ b/2-sat2-codebuild-prowler.yaml @@ -122,11 +122,15 @@ Resources: - cloudtrail:GetInsightSelectors - codeartifact:List* - codebuild:BatchGet* + - cognito-idp:GetUserPoolMfaConfig + - dlm:Get* - drs:Describe* - ds:Get* - ds:Describe* - ds:List* + - dynamodb:GetResourcePolicy - ec2:GetEbsEncryptionByDefault + - ec2:GetInstanceMetadataDefaults - ecr:Describe* - ecr:GetRegistryScanningConfiguration - elasticfilesystem:DescribeBackupPolicy @@ -134,6 +138,7 @@ Resources: - glue:GetSecurityConfiguration* - glue:SearchTables - lambda:GetFunction* + - lightsail:GetRelationalDatabases - logs:FilterLogEvents - macie2:GetMacieSession - s3:GetAccountPublicAccessBlock