diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json index c9e954ca62..c2c418481f 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.json +++ b/data/policy_permissions_list/master_policy_permissions_list.json @@ -66,6 +66,55 @@ } ] }, + { + "id": "./compliance/aws/disallowed_regions/aws_disallowed_regions.pt", + "name": "AWS Disallowed Regions", + "version": "5.0", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "sts:GetCallerIdentity", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeInstances", + "read_only": true, + "required": true + }, + { + "name": "ec2:StopInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:TerminateInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt", "name": "AWS Long Stopped EC2 Instances", @@ -190,6 +239,39 @@ } ] }, + { + "id": "./compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt", + "name": "Azure Disallowed Regions", + "version": "4.1", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Compute/virtualMachines/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Compute/virtualMachines/write", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt", "name": "Azure Long Stopped Compute Instances", @@ -441,79 +523,77 @@ ] }, { - "id": "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt", - "name": "AWS Old Snapshots", - "version": "7.5", + "id": "./cost/aws/gp3_volume_upgrade/aws_upgrade_to_gp3_volume.pt", + "name": "AWS GP3 Upgradeable Volumes", + "version": "4.4", "providers": [ { "name": "aws", "permissions": [ { - "name": "ec2:DescribeRegions", + "name": "ec2:DescribeVolumes", "read_only": true, "required": true }, { - "name": "ec2:DescribeImages", + "name": "ec2:DescribeRegions", "read_only": true, "required": true }, { - "name": "ec2:DescribeSnapshots", + "name": "pricing:GetProducts", "read_only": true, "required": true - }, - { - "name": "ec2:DeregisterImage", - "read_only": false, - "required": false, - "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." - }, - { - "name": "ec2:DeleteSnapshot", - "read_only": false, - "required": false, - "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." - }, + } + ] + }, + { + "name": "flexera", + "permissions": [ { - "name": "rds:DescribeDBInstances", + "name": "billing_center_viewer", "read_only": true, "required": true - }, + } + ] + } + ] + }, + { + "id": "./cost/aws/idle_compute_instances/idle_compute_instances.pt", + "name": "AWS Idle Compute Instances", + "version": "5.5", + "providers": [ + { + "name": "aws", + "permissions": [ { - "name": "rds:DescribeDBSnapshots", + "name": "ec2:DescribeRegions", "read_only": true, "required": true }, { - "name": "rds:DescribeDBClusters", + "name": "ec2:DescribeInstances", "read_only": true, "required": true }, { - "name": "rds:DescribeDBClusterSnapshots", + "name": "ec2:DescribeTags", "read_only": true, "required": true }, { - "name": "rds:DeleteDBClusterSnapshot", - "read_only": false, - "required": false, - "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." - }, - { - "name": "rds:DeleteDBSnapshot", - "read_only": false, - "required": false, - "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." + "name": "cloudwatch:GetMetricStatistics", + "read_only": true, + "required": true }, { - "name": "sts:GetCallerIdentity", + "name": "cloudwatch:GetMetricData", "read_only": true, "required": true }, { - "name": "cloudtrail:LookupEvents", + "name": "cloudwatch:ListMetrics", "read_only": true, "required": true } @@ -532,60 +612,54 @@ ] }, { - "id": "./cost/aws/reserved_instances/recommendations/aws_reserved_instance_recommendations.pt", - "name": "AWS Reserved Instances Recommendations", - "version": "3.4", + "id": "./cost/aws/object_storage_optimization/aws_object_storage_optimization.pt", + "name": "AWS Object Storage Optimization", + "version": "4.0", "providers": [ { "name": "aws", "permissions": [ { - "name": "ce:GetReservationPurchaseRecommendation", + "name": "sts:GetCallerIdentity", "read_only": true, "required": true - } - ] - }, - { - "name": "flexera", - "permissions": [ + }, { - "name": "billing_center_viewer", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true - } - ] - } - ] - }, - { - "id": "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt", - "name": "AWS Rightsize EBS Volumes", - "version": "4.4", - "providers": [ - { - "name": "aws", - "permissions": [ + }, { - "name": "ec2:DescribeRegions", + "name": "s3:GetBucketLocation", "read_only": true, "required": true }, { - "name": "ec2:DescribeVolumes", + "name": "s3:ListBucket", "read_only": true, "required": true }, { - "name": "ec2:ModifyVolume", - "read_only": false, - "required": false, - "description": "Only required for taking action (upgrading to GP3); the policy will still function in a read-only capacity without these permissions." + "name": "s3:GetObject", + "read_only": true, + "required": true }, { - "name": "pricing:GetProducts", + "name": "s3:GetObjectTagging", "read_only": true, "required": true + }, + { + "name": "s3:PutObject", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "s3:DeleteObject", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." } ] }, @@ -602,9 +676,9 @@ ] }, { - "id": "./cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt", - "name": "AWS Rightsize EC2 Instances", - "version": "4.5", + "id": "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt", + "name": "AWS Old Snapshots", + "version": "7.5", "providers": [ { "name": "aws", @@ -615,62 +689,66 @@ "required": true }, { - "name": "ec2:DescribeInstances", + "name": "ec2:DescribeImages", "read_only": true, "required": true }, { - "name": "ec2:DescribeInstanceStatus", - "read_only": false, - "required": false, - "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." - }, - { - "name": "ec2:DescribeTags", + "name": "ec2:DescribeSnapshots", "read_only": true, "required": true }, { - "name": "ec2:ModifyInstanceAttribute", + "name": "ec2:DeregisterImage", "read_only": false, "required": false, - "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." }, { - "name": "ec2:StartInstances", + "name": "ec2:DeleteSnapshot", "read_only": false, "required": false, - "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." }, { - "name": "ec2:StopInstances", - "read_only": false, - "required": false, - "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + "name": "rds:DescribeDBInstances", + "read_only": true, + "required": true }, { - "name": "ec2:TerminateInstances", - "read_only": false, - "required": false, - "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + "name": "rds:DescribeDBSnapshots", + "read_only": true, + "required": true }, { - "name": "cloudwatch:GetMetricStatistics", + "name": "rds:DescribeDBClusters", "read_only": true, "required": true }, { - "name": "cloudwatch:GetMetricData", + "name": "rds:DescribeDBClusterSnapshots", "read_only": true, "required": true }, { - "name": "cloudwatch:ListMetrics", + "name": "rds:DeleteDBClusterSnapshot", + "read_only": false, + "required": false, + "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "rds:DeleteDBSnapshot", + "read_only": false, + "required": false, + "description": "Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "sts:GetCallerIdentity", "read_only": true, "required": true }, { - "name": "sts:GetCallerIdentity", + "name": "cloudtrail:LookupEvents", "read_only": true, "required": true } @@ -689,59 +767,201 @@ ] }, { - "id": "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt", - "name": "AWS Rightsize RDS Instances", - "version": "4.2", + "id": "./cost/aws/rds_instance_license_info/rds_instance_license_info.pt", + "name": "AWS RDS Instances", + "version": "4.1", "providers": [ { "name": "aws", "permissions": [ { - "name": "sts:GetCallerIdentity", + "name": "ec2:DescribeRegions", "read_only": true, "required": true }, { - "name": "cloudwatch:GetMetricStatistics", + "name": "rds:DescribeDBInstances", "read_only": true, "required": true }, { - "name": "cloudwatch:GetMetricData", + "name": "sts:GetCallerIdentity", "read_only": true, "required": true - }, + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/reserved_instances/recommendations/aws_reserved_instance_recommendations.pt", + "name": "AWS Reserved Instances Recommendations", + "version": "3.4", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ce:GetReservationPurchaseRecommendation", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/reserved_instances/utilization/utilization_ris.pt", + "name": "AWS Reserved Instances Utilization", + "version": "2.1", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt", + "name": "AWS Rightsize EBS Volumes", + "version": "4.4", + "providers": [ + { + "name": "aws", + "permissions": [ { "name": "ec2:DescribeRegions", "read_only": true, "required": true }, { - "name": "rds:DescribeDBInstances", + "name": "ec2:DescribeVolumes", "read_only": true, "required": true }, { - "name": "rds:ListTagsForResource", + "name": "ec2:ModifyVolume", + "read_only": false, + "required": false, + "description": "Only required for taking action (upgrading to GP3); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "pricing:GetProducts", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt", + "name": "AWS Rightsize EC2 Instances", + "version": "4.5", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ec2:DescribeRegions", "read_only": true, "required": true }, { - "name": "rds:DescribeOrderableDBInstanceOptions", + "name": "ec2:DescribeInstances", "read_only": true, "required": true }, { - "name": "rds:ModifyDBInstance", + "name": "ec2:DescribeInstanceStatus", "read_only": false, "required": false, "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." }, { - "name": "rds:DeleteDBInstance", + "name": "ec2:DescribeTags", + "read_only": true, + "required": true + }, + { + "name": "ec2:ModifyInstanceAttribute", + "read_only": false, + "required": false, + "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:StartInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:StopInstances", "read_only": false, "required": false, "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:TerminateInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action (terminating or downsizing); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "cloudwatch:GetMetricStatistics", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:GetMetricData", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:ListMetrics", + "read_only": true, + "required": true + }, + { + "name": "sts:GetCallerIdentity", + "read_only": true, + "required": true } ] }, @@ -826,6 +1046,48 @@ } ] }, + { + "id": "./cost/aws/s3_storage_policy/aws_s3_bucket_policy_check.pt", + "name": "AWS S3 Bucket Intelligent Tiering Check", + "version": "3.1", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "s3:ListAllMyBuckets", + "read_only": true, + "required": true + }, + { + "name": "s3:GetBucketlocation", + "read_only": true, + "required": true + }, + { + "name": "s3:GetIntelligentTieringConfiguration", + "read_only": true, + "required": true + }, + { + "name": "s3:GetBucketTagging", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./cost/aws/savings_plan/recommendations/aws_savings_plan_recommendations.pt", "name": "AWS Savings Plan Recommendations", @@ -853,6 +1115,55 @@ } ] }, + { + "id": "./cost/aws/savings_plan/utilization/aws_savings_plan_utilization.pt", + "name": "AWS Savings Plan Utilization", + "version": "3.1", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ce:GetSavingsPlansUtilization", + "read_only": true, + "required": true + }, + { + "name": "savingsplans:DescribeSavingsPlans", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/savings_realized/aws_savings_realized.pt", + "name": "AWS Savings Realized from Reservations", + "version": "3.4", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./cost/aws/schedule_instance/aws_schedule_instance.pt", "name": "AWS Schedule Instance", @@ -903,10 +1214,408 @@ "description": "Only required if using Customer Managed KMS Key on Volumes mounted by EC2 Instance(s)" }, { - "name": "kms:Decrypt", + "name": "kms:Decrypt", + "read_only": true, + "required": false, + "description": "Only required if using Customer Managed KMS Key on Volumes mounted by EC2 Instance(s)" + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/superseded_instances/aws_superseded_instances.pt", + "name": "AWS Superseded EC2 Instances", + "version": "1.3", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeInstances", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeInstanceStatus", + "read_only": false, + "required": false, + "description": "Only required for taking action (changing instance type); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:DescribeTags", + "read_only": true, + "required": true + }, + { + "name": "ec2:ModifyInstanceAttribute", + "read_only": false, + "required": false, + "description": "Only required for taking action (changing instance type); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:StartInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action (changing instance type); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:StopInstances", + "read_only": false, + "required": false, + "description": "Only required for taking action (changing instance type); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "sts:GetCallerIdentity", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/unused_clbs/aws_unused_clbs.pt", + "name": "AWS Unused Classic Load Balancers", + "version": "5.0", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "sts:GetCallerIdentity", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "elasticloadbalancing:DescribeLoadBalancers", + "read_only": true, + "required": true + }, + { + "name": "elasticloadbalancing:DescribeInstanceHealth", + "read_only": true, + "required": true + }, + { + "name": "elasticloadbalancing:DescribeTags", + "read_only": true, + "required": true + }, + { + "name": "elasticloadbalancing:DeleteLoadBalancer", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/unused_ip_addresses/aws_unused_ip_addresses.pt", + "name": "AWS Unused IP Addresses", + "version": "6.8", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeAddresses", + "read_only": true, + "required": true + }, + { + "name": "ec2:ReleaseAddress", + "read_only": false, + "required": false, + "description": "Only required for taking action (releasing an IP address); the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "pricing:GetProducts", + "read_only": true, + "required": true + }, + { + "name": "sts:GetCallerIdentity", + "read_only": true, + "required": true + }, + { + "name": "cloudtrail:LookupEvents", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/aws/unused_volumes/aws_delete_unused_volumes.pt", + "name": "AWS Unused Volumes", + "version": "7.4", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeVolumes", + "read_only": true, + "required": true + }, + { + "name": "ec2:DescribeSnapshots", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:GetMetricStatistics", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:GetMetricData", + "read_only": true, + "required": true + }, + { + "name": "ec2:CreateTags", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:CreateSnapshot", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:DetachVolume", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + }, + { + "name": "ec2:DeleteVolume", + "read_only": false, + "required": false, + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/azure/blob_storage_optimization/azure_blob_storage_optimization.pt", + "name": "Azure Blob Storage Optimization", + "version": "3.1", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Storage/storageAccounts/read", + "read_only": true, + "required": true + } + ] + }, + { + "name": "azure_storage", + "permissions": [ + { + "name": "Storage Blob Data Owner", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/azure/hybrid_use_benefit/azure_hybrid_use_benefit.pt", + "name": "Azure Hybrid Use Benefit for Windows Server", + "version": "4.2", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Compute/virtualMachines/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Compute/virtualMachines/write", + "read_only": false, + "required": false, + "description": "Only required for taking action (applying AHUB to VMs); the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/azure/hybrid_use_benefit_linux/ahub_linux.pt", + "name": "Azure Hybrid Use Benefit for Linux Server", + "version": "4.3", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Compute/virtualMachines/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Compute/virtualMachines/write", + "read_only": false, + "required": false, + "description": "Only required for taking action (applying AHUB to VMs); the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/azure/hybrid_use_benefit_sql/ahub_sql.pt", + "name": "Azure Hybrid Use Benefit for SQL", + "version": "3.1", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.SqlVirtualMachine/sqlVirtualMachines/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.SqlVirtualMachine/sqlVirtualMachines/write", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Sql/servers/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Sql/servers/write", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Sql/managedInstances/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Sql/managedInstances/write", "read_only": true, - "required": false, - "description": "Only required if using Customer Managed KMS Key on Volumes mounted by EC2 Instance(s)" + "required": true } ] }, @@ -923,41 +1632,26 @@ ] }, { - "id": "./cost/aws/unused_ip_addresses/aws_unused_ip_addresses.pt", - "name": "AWS Unused IP Addresses", - "version": "6.8", + "id": "./cost/azure/idle_compute_instances/azure_idle_compute_instances.pt", + "name": "Azure Idle Compute Instances", + "version": "5.4", "providers": [ { - "name": "aws", + "name": "azure_rm", "permissions": [ { - "name": "ec2:DescribeRegions", - "read_only": true, - "required": true - }, - { - "name": "ec2:DescribeAddresses", + "name": "Microsoft.Compute/virtualMachines/read", "read_only": true, "required": true }, { - "name": "ec2:ReleaseAddress", + "name": "Microsoft.Compute/virtualMachines/write", "read_only": false, "required": false, - "description": "Only required for taking action (releasing an IP address); the policy will still function in a read-only capacity without these permissions." - }, - { - "name": "pricing:GetProducts", - "read_only": true, - "required": true - }, - { - "name": "sts:GetCallerIdentity", - "read_only": true, - "required": true + "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." }, { - "name": "cloudtrail:LookupEvents", + "name": "Microsoft.Insights/metrics/read", "read_only": true, "required": true } @@ -1232,6 +1926,23 @@ } ] }, + { + "id": "./cost/azure/savings_realized/azure_savings_realized.pt", + "name": "Azure Savings Realized from Reservations", + "version": "3.6", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./cost/azure/schedule_instance/azure_schedule_instance.pt", "name": "Azure Schedule Instance", @@ -1279,6 +1990,66 @@ } ] }, + { + "id": "./cost/azure/storage_account_lifecycle_management/storage_account_lifecycle_management.pt", + "name": "Azure Storage Accounts without Lifecycle Management Policies", + "version": "3.1", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Storage/storageAccounts/read", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./cost/azure/superseded_instances/azure_superseded_instances.pt", + "name": "Azure Superseded Compute Instances", + "version": "1.2", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Compute/virtualMachines/read", + "read_only": true, + "required": true + }, + { + "name": "Microsoft.Compute/virtualMachines/write", + "read_only": false, + "required": false, + "description": "Only required for taking action (changing instance type); the policy will still function in a read-only capacity without these permissions." + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./cost/azure/unused_ip_addresses/azure_unused_ip_addresses.pt", "name": "Azure Unused IP Addresses", @@ -1846,6 +2617,53 @@ } ] }, + { + "id": "./operational/aws/lambda_functions_with_high_error_rate/lambda_functions_with_high_error_rate.pt", + "name": "AWS Lambda Functions with high error rate", + "version": "4.2", + "providers": [ + { + "name": "aws", + "permissions": [ + { + "name": "ec2:DescribeRegions", + "read_only": true, + "required": true + }, + { + "name": "lambda:ListFunctions", + "read_only": true, + "required": true + }, + { + "name": "lambda:ListTags", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:GetMetricStatistics", + "read_only": true, + "required": true + }, + { + "name": "cloudwatch:ListMetrics", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./operational/aws/long_running_instances/long_running_instances.pt", "name": "AWS Long Running Instances", @@ -1901,6 +2719,23 @@ } ] }, + { + "id": "./operational/aws/marketplace_new_products/aws_marketplace_new_products.pt", + "name": "AWS New Marketplace Products", + "version": "0.1", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./operational/aws/tag_cardinality/aws_tag_cardinality.pt", "name": "AWS Tag Cardinality Report", @@ -1933,6 +2768,74 @@ } ] }, + { + "id": "./operational/aws/total_instance_hours/number_of_hours_per_instance_family.pt", + "name": "AWS Usage Report - Number of Instance Hours Used", + "version": "3.1", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./operational/aws/total_instance_hours_forecast/aws_total_instance_hrs_forecast.pt", + "name": "AWS Usage Forecast - Number of Instance Hours Used", + "version": "3.2", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./operational/aws/total_instance_vcpus/number_of_vcpus_per_instance_family.pt", + "name": "AWS Usage Report - Number of Instance vCPUs Used", + "version": "3.1", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, + { + "id": "./operational/aws/total_instance_vcpus_forecast/aws_total_instance_vcpus_forecast.pt", + "name": "AWS Usage Forecast - Number of Instance vCPUs Used", + "version": "3.2", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt", "name": "Azure Long Running Instances", @@ -1966,6 +2869,23 @@ } ] }, + { + "id": "./operational/azure/marketplace_new_products/azure_marketplace_new_products.pt", + "name": "Azure New Marketplace Products", + "version": "0.2", + "providers": [ + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] + }, { "id": "./operational/azure/tag_cardinality/azure_tag_cardinality.pt", "name": "Azure Tag Cardinality Report", @@ -2012,6 +2932,33 @@ ] } ] + }, + { + "id": "./operational/azure/vms_without_managed_disks/azure_vms_without_managed_disks.pt", + "name": "Azure VMs Not Using Managed Disks", + "version": "3.1", + "providers": [ + { + "name": "azure_rm", + "permissions": [ + { + "name": "Microsoft.Compute/virtualMachines/read", + "read_only": true, + "required": true + } + ] + }, + { + "name": "flexera", + "permissions": [ + { + "name": "billing_center_viewer", + "read_only": true, + "required": true + } + ] + } + ] } ] -} \ No newline at end of file +} diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml index 9237991ad2..2f6f552805 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.yaml +++ b/data/policy_permissions_list/master_policy_permissions_list.yaml @@ -44,6 +44,36 @@ required: false description: Only required for taking action (updating applied policies); the policy will still function in a read-only capacity without these permissions. +- id: "./compliance/aws/disallowed_regions/aws_disallowed_regions.pt" + name: AWS Disallowed Regions + version: '5.0' + :providers: + - :name: aws + :permissions: + - name: sts:GetCallerIdentity + read_only: true + required: true + - name: ec2:DescribeRegions + read_only: true + required: true + - name: ec2:DescribeInstances + read_only: true + required: true + - name: ec2:StopInstances + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: ec2:TerminateInstances + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt" name: AWS Long Stopped EC2 Instances version: '5.0' @@ -121,6 +151,25 @@ - name: billing_center_viewer read_only: true required: true +- id: "./compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt" + name: Azure Disallowed Regions + version: '4.1' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - name: Microsoft.Compute/virtualMachines/write + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt" name: Azure Long Stopped Compute Instances version: '4.1' @@ -268,6 +317,94 @@ - name: storage.buckets.update read_only: true required: true +- id: "./cost/aws/gp3_volume_upgrade/aws_upgrade_to_gp3_volume.pt" + name: AWS GP3 Upgradeable Volumes + version: '4.4' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeVolumes + read_only: true + required: true + - name: ec2:DescribeRegions + read_only: true + required: true + - name: pricing:GetProducts + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/aws/idle_compute_instances/idle_compute_instances.pt" + name: AWS Idle Compute Instances + version: '5.5' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeRegions + read_only: true + required: true + - name: ec2:DescribeInstances + read_only: true + required: true + - name: ec2:DescribeTags + read_only: true + required: true + - name: cloudwatch:GetMetricStatistics + read_only: true + required: true + - name: cloudwatch:GetMetricData + read_only: true + required: true + - name: cloudwatch:ListMetrics + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/aws/object_storage_optimization/aws_object_storage_optimization.pt" + name: AWS Object Storage Optimization + version: '4.0' + :providers: + - :name: aws + :permissions: + - name: sts:GetCallerIdentity + read_only: true + required: true + - name: s3:ListAllMyBuckets + read_only: true + required: true + - name: s3:GetBucketLocation + read_only: true + required: true + - name: s3:ListBucket + read_only: true + required: true + - name: s3:GetObject + read_only: true + required: true + - name: s3:GetObjectTagging + read_only: true + required: true + - name: s3:PutObject + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: s3:DeleteObject + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt" name: AWS Old Snapshots version: '7.5' @@ -326,6 +463,26 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/aws/rds_instance_license_info/rds_instance_license_info.pt" + name: AWS RDS Instances + version: '4.1' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeRegions + read_only: true + required: true + - name: rds:DescribeDBInstances + read_only: true + required: true + - name: sts:GetCallerIdentity + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/aws/reserved_instances/recommendations/aws_reserved_instance_recommendations.pt" name: AWS Reserved Instances Recommendations version: '3.4' @@ -340,6 +497,15 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/aws/reserved_instances/utilization/utilization_ris.pt" + name: AWS Reserved Instances Utilization + version: '2.1' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt" name: AWS Rightsize EBS Volumes version: '4.4' @@ -464,57 +630,64 @@ - name: billing_center_viewer read_only: true required: true -- id: "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt" - name: AWS Rightsize RDS Instances - version: '4.2' +- id: "./cost/aws/s3_storage_policy/aws_s3_bucket_policy_check.pt" + name: AWS S3 Bucket Intelligent Tiering Check + version: '3.1' :providers: - :name: aws :permissions: - - name: sts:GetCallerIdentity - read_only: true - required: true - - name: cloudwatch:GetMetricStatistics + - name: s3:ListAllMyBuckets read_only: true required: true - - name: cloudwatch:GetMetricData + - name: s3:GetBucketlocation read_only: true required: true - - name: ec2:DescribeRegions + - name: s3:GetIntelligentTieringConfiguration read_only: true required: true - - name: rds:DescribeDBInstances + - name: s3:GetBucketTagging read_only: true required: true - - name: rds:ListTagsForResource + - :name: flexera + :permissions: + - name: billing_center_viewer read_only: true required: true - - name: rds:DescribeOrderableDBInstanceOptions +- id: "./cost/aws/savings_plan/recommendations/aws_savings_plan_recommendations.pt" + name: AWS Savings Plan Recommendations + version: '3.1' + :providers: + - :name: aws + :permissions: + - name: ce:GetSavingsPlansPurchaseRecommendation read_only: true required: true - - name: rds:ModifyDBInstance - read_only: false - required: false - description: Only required for taking action (terminating or downsizing); the - policy will still function in a read-only capacity without these permissions. - - name: rds:DeleteDBInstance - read_only: false - required: false - description: Only required for taking action (terminating or downsizing); the - policy will still function in a read-only capacity without these permissions. - :name: flexera :permissions: - name: billing_center_viewer read_only: true required: true -- id: "./cost/aws/savings_plan/recommendations/aws_savings_plan_recommendations.pt" - name: AWS Savings Plan Recommendations +- id: "./cost/aws/savings_plan/utilization/aws_savings_plan_utilization.pt" + name: AWS Savings Plan Utilization version: '3.1' :providers: - :name: aws :permissions: - - name: ce:GetSavingsPlansPurchaseRecommendation + - name: ce:GetSavingsPlansUtilization + read_only: true + required: true + - name: savingsplans:DescribeSavingsPlans + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer read_only: true required: true +- id: "./cost/aws/savings_realized/aws_savings_realized.pt" + name: AWS Savings Realized from Reservations + version: '3.4' + :providers: - :name: flexera :permissions: - name: billing_center_viewer @@ -562,6 +735,80 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/aws/superseded_instances/aws_superseded_instances.pt" + name: AWS Superseded EC2 Instances + version: '1.3' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeRegions + read_only: true + required: true + - name: ec2:DescribeInstances + read_only: true + required: true + - name: ec2:DescribeInstanceStatus + read_only: false + required: false + description: Only required for taking action (changing instance type); the policy + will still function in a read-only capacity without these permissions. + - name: ec2:DescribeTags + read_only: true + required: true + - name: ec2:ModifyInstanceAttribute + read_only: false + required: false + description: Only required for taking action (changing instance type); the policy + will still function in a read-only capacity without these permissions. + - name: ec2:StartInstances + read_only: false + required: false + description: Only required for taking action (changing instance type); the policy + will still function in a read-only capacity without these permissions. + - name: ec2:StopInstances + read_only: false + required: false + description: Only required for taking action (changing instance type); the policy + will still function in a read-only capacity without these permissions. + - name: sts:GetCallerIdentity + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/aws/unused_clbs/aws_unused_clbs.pt" + name: AWS Unused Classic Load Balancers + version: '5.0' + :providers: + - :name: aws + :permissions: + - name: sts:GetCallerIdentity + read_only: true + required: true + - name: ec2:DescribeRegions + read_only: true + required: true + - name: elasticloadbalancing:DescribeLoadBalancers + read_only: true + required: true + - name: elasticloadbalancing:DescribeInstanceHealth + read_only: true + required: true + - name: elasticloadbalancing:DescribeTags + read_only: true + required: true + - name: elasticloadbalancing:DeleteLoadBalancer + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/aws/unused_ip_addresses/aws_unused_ip_addresses.pt" name: AWS Unused IP Addresses version: '6.8' @@ -593,6 +840,160 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/aws/unused_volumes/aws_delete_unused_volumes.pt" + name: AWS Unused Volumes + version: '7.4' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeRegions + read_only: true + required: true + - name: ec2:DescribeVolumes + read_only: true + required: true + - name: ec2:DescribeSnapshots + read_only: true + required: true + - name: cloudwatch:GetMetricStatistics + read_only: true + required: true + - name: cloudwatch:GetMetricData + read_only: true + required: true + - name: ec2:CreateTags + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: ec2:CreateSnapshot + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: ec2:DetachVolume + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: ec2:DeleteVolume + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/blob_storage_optimization/azure_blob_storage_optimization.pt" + name: Azure Blob Storage Optimization + version: '3.1' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Storage/storageAccounts/read + read_only: true + required: true + - :name: azure_storage + :permissions: + - name: Storage Blob Data Owner + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/hybrid_use_benefit/azure_hybrid_use_benefit.pt" + name: Azure Hybrid Use Benefit for Windows Server + version: '4.2' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - name: Microsoft.Compute/virtualMachines/write + read_only: false + required: false + description: Only required for taking action (applying AHUB to VMs); the policy + will still function in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/hybrid_use_benefit_linux/ahub_linux.pt" + name: Azure Hybrid Use Benefit for Linux Server + version: '4.3' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - name: Microsoft.Compute/virtualMachines/write + read_only: false + required: false + description: Only required for taking action (applying AHUB to VMs); the policy + will still function in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/hybrid_use_benefit_sql/ahub_sql.pt" + name: Azure Hybrid Use Benefit for SQL + version: '3.1' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.SqlVirtualMachine/sqlVirtualMachines/read + read_only: true + required: true + - name: Microsoft.SqlVirtualMachine/sqlVirtualMachines/write + read_only: true + required: true + - name: Microsoft.Sql/servers/read + read_only: true + required: true + - name: Microsoft.Sql/servers/write + read_only: true + required: true + - name: Microsoft.Sql/managedInstances/read + read_only: true + required: true + - name: Microsoft.Sql/managedInstances/write + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/idle_compute_instances/azure_idle_compute_instances.pt" + name: Azure Idle Compute Instances + version: '5.4' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - name: Microsoft.Compute/virtualMachines/write + read_only: false + required: false + description: Only required for taking action; the policy will still function + in a read-only capacity without these permissions. + - name: Microsoft.Insights/metrics/read + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/azure/old_snapshots/azure_delete_old_snapshots.pt" name: Azure Old Snapshots version: '6.2' @@ -746,6 +1147,15 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/azure/savings_realized/azure_savings_realized.pt" + name: Azure Savings Realized from Reservations + version: '3.6' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/azure/schedule_instance/azure_schedule_instance.pt" name: Azure Schedule Instance version: '4.0' @@ -772,6 +1182,39 @@ - name: billing_center_viewer read_only: true required: true +- id: "./cost/azure/storage_account_lifecycle_management/storage_account_lifecycle_management.pt" + name: Azure Storage Accounts without Lifecycle Management Policies + version: '3.1' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Storage/storageAccounts/read + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./cost/azure/superseded_instances/azure_superseded_instances.pt" + name: Azure Superseded Compute Instances + version: '1.2' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - name: Microsoft.Compute/virtualMachines/write + read_only: false + required: false + description: Only required for taking action (changing instance type); the policy + will still function in a read-only capacity without these permissions. + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./cost/azure/unused_ip_addresses/azure_unused_ip_addresses.pt" name: Azure Unused IP Addresses version: '6.3' @@ -1132,6 +1575,32 @@ - name: billing_center_viewer read_only: true required: true +- id: "./operational/aws/lambda_functions_with_high_error_rate/lambda_functions_with_high_error_rate.pt" + name: AWS Lambda Functions with high error rate + version: '4.2' + :providers: + - :name: aws + :permissions: + - name: ec2:DescribeRegions + read_only: true + required: true + - name: lambda:ListFunctions + read_only: true + required: true + - name: lambda:ListTags + read_only: true + required: true + - name: cloudwatch:GetMetricStatistics + read_only: true + required: true + - name: cloudwatch:ListMetrics + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./operational/aws/long_running_instances/long_running_instances.pt" name: AWS Long Running Instances version: '4.3' @@ -1167,6 +1636,15 @@ - name: billing_center_viewer read_only: true required: true +- id: "./operational/aws/marketplace_new_products/aws_marketplace_new_products.pt" + name: AWS New Marketplace Products + version: '0.1' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./operational/aws/tag_cardinality/aws_tag_cardinality.pt" name: AWS Tag Cardinality Report version: '3.0' @@ -1185,6 +1663,42 @@ - name: organizations:ListTagsForResource read_only: true required: true +- id: "./operational/aws/total_instance_hours/number_of_hours_per_instance_family.pt" + name: AWS Usage Report - Number of Instance Hours Used + version: '3.1' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./operational/aws/total_instance_hours_forecast/aws_total_instance_hrs_forecast.pt" + name: AWS Usage Forecast - Number of Instance Hours Used + version: '3.2' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./operational/aws/total_instance_vcpus/number_of_vcpus_per_instance_family.pt" + name: AWS Usage Report - Number of Instance vCPUs Used + version: '3.1' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true +- id: "./operational/aws/total_instance_vcpus_forecast/aws_total_instance_vcpus_forecast.pt" + name: AWS Usage Forecast - Number of Instance vCPUs Used + version: '3.2' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt" name: Azure Long Running Instances version: '5.1' @@ -1204,6 +1718,15 @@ - name: billing_center_viewer read_only: true required: true +- id: "./operational/azure/marketplace_new_products/azure_marketplace_new_products.pt" + name: Azure New Marketplace Products + version: '0.2' + :providers: + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true - id: "./operational/azure/tag_cardinality/azure_tag_cardinality.pt" name: Azure Tag Cardinality Report version: '3.1' @@ -1230,3 +1753,17 @@ - name: billing_center_viewer read_only: true required: true +- id: "./operational/azure/vms_without_managed_disks/azure_vms_without_managed_disks.pt" + name: Azure VMs Not Using Managed Disks + version: '3.1' + :providers: + - :name: azure_rm + :permissions: + - name: Microsoft.Compute/virtualMachines/read + read_only: true + required: true + - :name: flexera + :permissions: + - name: billing_center_viewer + read_only: true + required: true diff --git a/tools/policy_master_permission_generation/generate_policy_master_permissions.rb b/tools/policy_master_permission_generation/generate_policy_master_permissions.rb index f4a2f86b4c..b828001ddd 100644 --- a/tools/policy_master_permission_generation/generate_policy_master_permissions.rb +++ b/tools/policy_master_permission_generation/generate_policy_master_permissions.rb @@ -57,6 +57,7 @@ def extract_permissions_from_readme(readme_content) "[**AWS Credentials**]", "[**AWS Credential**]", "[**Azure Resource Manager Credential**]", + "[**Azure Storage Credential**]", "[**Google Cloud Credential**]", "[**Flexera Credential**]" ] @@ -67,6 +68,8 @@ def extract_permissions_from_readme(readme_content) provider = "aws" when "[**Azure Resource Manager Credential**]" provider = "azure_rm" + when "[**Azure Storage Credential**]" + provider = "azure_storage" when "[**Google Cloud Credential**]" provider = "gce" when "[**Flexera Credential**]" @@ -109,7 +112,7 @@ def extract_permissions_from_readme(readme_content) # Set whether permission is read-only, required, and/or has a description (and depending on the symbol) read_only_permission = true required = true - + # Checks for a symbol (which would denote that the permission has an accompanying description) symbol_if_exists = list_of_notes.find { |note| permission.end_with?(note[:symbol]) == true || line.include?(note[:symbol]) == true } diff --git a/tools/policy_master_permission_generation/validated_policy_templates.yaml b/tools/policy_master_permission_generation/validated_policy_templates.yaml index 38a0131471..7f9f146c48 100644 --- a/tools/policy_master_permission_generation/validated_policy_templates.yaml +++ b/tools/policy_master_permission_generation/validated_policy_templates.yaml @@ -4,44 +4,72 @@ # - The `data/policy_permissions_list/master_policy_permissions_list` datasets contains all permissions from the README.md -- this confirms generate_policy_master_permissions.rb script parses README as expected validated_policy_templates: # AWS +- "./compliance/aws/disallowed_regions/aws_disallowed_regions.pt" - "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt" - "./compliance/aws/untagged_resources/aws_untagged_resources.pt" +- "./cost/aws/gp3_volume_upgrade/aws_upgrade_to_gp3_volume.pt" +- "./cost/aws/idle_compute_instances/idle_compute_instances.pt" +- "./cost/aws/object_storage_optimization/aws_object_storage_optimization.pt" +- "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt" +- "./cost/aws/rds_instance_license_info/rds_instance_license_info.pt" +- "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt" - "./cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt" - "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt" -- "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt" - "./cost/aws/reserved_instances/recommendations/aws_reserved_instance_recommendations.pt" -- "./cost/aws/unused_ip_addresses/aws_unused_ip_addresses.pt" +- "./cost/aws/reserved_instances/utilization/utilization_ris.pt" +- "./cost/aws/s3_storage_policy/aws_s3_bucket_policy_check.pt" - "./cost/aws/savings_plan/recommendations/aws_savings_plan_recommendations.pt" -- "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt" -- "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt" +- "./cost/aws/savings_plan/utilization/aws_savings_plan_utilization.pt" +- "./cost/aws/savings_realized/aws_savings_realized.pt" - "./cost/aws/schedule_instance/aws_schedule_instance.pt" -- "./operational/aws/tag_cardinality/aws_tag_cardinality.pt" +- "./cost/aws/superseded_instances/aws_superseded_instances.pt" +- "./cost/aws/unused_clbs/aws_unused_clbs.pt" +- "./cost/aws/unused_ip_addresses/aws_unused_ip_addresses.pt" +- "./cost/aws/unused_volumes/aws_delete_unused_volumes.pt" +- "./operational/aws/lambda_functions_with_high_error_rate/lambda_functions_with_high_error_rate.pt" - "./operational/aws/long_running_instances/long_running_instances.pt" +- "./operational/aws/marketplace_new_products/aws_marketplace_new_products.pt" +- "./operational/aws/total_instance_hours/number_of_hours_per_instance_family.pt" +- "./operational/aws/total_instance_hours_forecast/aws_total_instance_hrs_forecast.pt" +- "./operational/aws/total_instance_vcpus/number_of_vcpus_per_instance_family.pt" +- "./operational/aws/total_instance_vcpus_forecast/aws_total_instance_vcpus_forecast.pt" +- "./operational/aws/tag_cardinality/aws_tag_cardinality.pt" # Azure +- "./compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt" - "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt" - "./compliance/azure/azure_untagged_resources/untagged_resources.pt" - "./compliance/azure/azure_untagged_vms/untagged_vms.pt" -- "./cost/azure/unused_sql_databases/azure_unused_sql_databases.pt" -- "./cost/azure/rightsize_compute_instances/azure_compute_rightsizing.pt" -- "./cost/azure/unused_volumes/azure_unused_volumes.pt" +- "./cost/azure/blob_storage_optimization/azure_blob_storage_optimization.pt" +- "./cost/azure/hybrid_use_benefit/azure_hybrid_use_benefit.pt" +- "./cost/azure/hybrid_use_benefit_linux/ahub_linux.pt" +- "./cost/azure/hybrid_use_benefit_sql/ahub_sql.pt" +- "./cost/azure/idle_compute_instances/azure_idle_compute_instances.pt" - "./cost/azure/old_snapshots/azure_delete_old_snapshots.pt" -- "./cost/azure/unused_ip_addresses/azure_unused_ip_addresses.pt" -- "./cost/azure/savings_plan/recommendations/azure_savings_plan_recommendations.pt" - "./cost/azure/reserved_instances/recommendations/azure_reserved_instance_recommendations.pt" - "./cost/azure/reserved_instances/utilization/azure_reserved_instance_utilization.pt" -- "./cost/azure/rightsize_sql_instances/azure_rightsize_sql_instances.pt" +- "./cost/azure/rightsize_compute_instances/azure_compute_rightsizing.pt" - "./cost/azure/rightsize_managed_disks/azure_rightsize_managed_disks.pt" +- "./cost/azure/rightsize_sql_instances/azure_rightsize_sql_instances.pt" +- "./cost/azure/savings_plan/recommendations/azure_savings_plan_recommendations.pt" +- "./cost/azure/savings_realized/azure_savings_realized.pt" - "./cost/azure/schedule_instance/azure_schedule_instance.pt" -- "./operational/azure/tag_cardinality/azure_tag_cardinality.pt" +- "./cost/azure/storage_account_lifecycle_management/storage_account_lifecycle_management.pt" +- "./cost/azure/superseded_instances/azure_superseded_instances.pt" +- "./cost/azure/unused_ip_addresses/azure_unused_ip_addresses.pt" +- "./cost/azure/unused_sql_databases/azure_unused_sql_databases.pt" +- "./cost/azure/unused_volumes/azure_unused_volumes.pt" - "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt" +- "./operational/azure/marketplace_new_products/azure_marketplace_new_products.pt" +- "./operational/azure/tag_cardinality/azure_tag_cardinality.pt" +- "./operational/azure/vms_without_managed_disks/azure_vms_without_managed_disks.pt" # Google - "./compliance/google/long_stopped_instances/google_long_stopped_instances.pt" - "./compliance/google/unlabeled_resources/unlabeled_resources.pt" -- "./cost/google/rightsize_vm_recommendations/google_rightsize_vm_recommendations.pt" -- "./cost/google/idle_persistent_disk_recommendations/google_idle_persistent_disk_recommendations.pt" - "./cost/google/cloud_sql_idle_instance_recommendations/google_sql_idle_instance_recommendations.pt" -- "./cost/google/idle_ip_address_recommendations/google_idle_ip_address_recommendations.pt" - "./cost/google/cud_recommendations/google_committed_use_discount_recommendations.pt" +- "./cost/google/idle_ip_address_recommendations/google_idle_ip_address_recommendations.pt" +- "./cost/google/idle_persistent_disk_recommendations/google_idle_persistent_disk_recommendations.pt" +- "./cost/google/rightsize_vm_recommendations/google_rightsize_vm_recommendations.pt" - "./cost/google/schedule_instance/google_schedule_instance.pt" # Flexera - "./automation/flexera/outdated_applied_policies/outdated_applied_policies.pt"