From 4a119aedb042d861161f118b33ac9a1520540970 Mon Sep 17 00:00:00 2001 From: "Ian Mckay [bot]" Date: Sun, 8 Sep 2024 14:08:11 +0000 Subject: [PATCH] Update SAR data --- aws/historic_counts.json | 8 + aws/managed_policies.json | 54 ++--- .../AWSAuditManagerAdministratorAccess.json | 6 +- aws/managedpolicies/AWSBackupAdminPolicy.json | 6 +- aws/managedpolicies/AWSBackupFullAccess.json | 6 +- .../AWSBackupOperatorPolicy.json | 6 +- ...ackupServiceLinkedRolePolicyForBackup.json | 8 +- .../AWSBackupServiceRolePolicyForBackup.json | 6 +- ...AWSBackupServiceRolePolicyForRestores.json | 6 +- .../AWSFaultInjectionSimulatorEC2Access.json | 8 +- aws/managedpolicies/AWSProtonFullAccess.json | 6 +- .../AWSRefactoringToolkitFullAccess.json | 4 +- .../AWSServiceRoleForImageBuilder.json | 6 +- .../AWSSupplyChainFederationAdminAccess.json | 6 +- aws/managedpolicies/AdministratorAccess.json | 4 +- .../AmazonAppFlowFullAccess.json | 8 +- .../AmazonConnectFullAccess.json | 4 +- ...taZoneSageMakerManageAccessRolePolicy.json | 6 +- .../AmazonDocDBElasticFullAccess.json | 6 +- ...utyMalwareProtectionServiceRolePolicy.json | 8 +- .../AmazonLookoutEquipmentFullAccess.json | 6 +- aws/managedpolicies/AmazonMSKFullAccess.json | 6 +- .../AmazonMonitronFullAccess.json | 4 +- ...mazonSageMakerModelRegistryFullAccess.json | 4 +- .../AmazonSecurityLakeAdministrator.json | 4 +- .../AmazonTimestreamConsoleFullAccess.json | 8 +- .../AmazonTimestreamFullAccess.json | 8 +- aws/managedpolicies/PowerUserAccess.json | 4 +- aws/managedpolicies/ROSAInstallerPolicy.json | 6 +- .../ROSANodePoolManagementPolicy.json | 6 +- aws/tags.json | 16 +- azure/built-in-roles.json | 42 ++++ azure/provider-operations.json | 30 ++- gcp/map.json | 28 +-- gcp/predefined_roles.json | 5 + gcp/role_permissions.json | 120 +++++++++++ gcp/roles/aiplatform.tuningServiceAgent.json | 6 + .../compute.loadBalancerServiceUser.json | 5 + .../edgecontainer.clusterServiceAgent.json | 1 + gcp/roles/run.serviceAgent.json | 2 + gcp/roles/seclm.serviceAgent.json | 2 + gcp/roles/serverless.serviceAgent.json | 2 + gcp/roles/viewer.json | 6 + gcp/tags.json | 198 +++++++++--------- 44 files changed, 456 insertions(+), 235 deletions(-) diff --git a/aws/historic_counts.json b/aws/historic_counts.json index a884d5e3f..40bf58b97 100644 --- a/aws/historic_counts.json +++ b/aws/historic_counts.json @@ -6235,6 +6235,10 @@ { "count": 15536, "date": "2024-09-07T13:49:29" + }, + { + "count": 15536, + "date": "2024-09-08T14:08:07" } ], "iam": [ @@ -11065,6 +11069,10 @@ { "count": 17159, "date": "2024-09-07T13:49:29" + }, + { + "count": 17159, + "date": "2024-09-08T14:08:07" } ] } \ No newline at end of file diff --git a/aws/managed_policies.json b/aws/managed_policies.json index 150f2bdd3..e472cc197 100644 --- a/aws/managed_policies.json +++ b/aws/managed_policies.json @@ -19741,7 +19741,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonDocDBElasticFullAccess", "createdate": "2023-06-21T18:05:47+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "docdb-elastic:CreateCluster", @@ -24225,7 +24225,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonTimestreamFullAccess", "createdate": "2021-11-26T23:42:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "timestream:CancelQuery", @@ -24271,7 +24271,7 @@ ], "malformed": false, "name": "AmazonTimestreamFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -34680,7 +34680,7 @@ ], "malformed": false, "name": "AWSBackupServiceRolePolicyForRestores", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -39844,7 +39844,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonMSKFullAccess", "createdate": "2023-10-18T11:33:13+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "kafka:BatchAssociateScramSecret", @@ -53944,7 +53944,7 @@ ], "malformed": false, "name": "AWSBackupServiceRolePolicyForBackup", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -59137,7 +59137,7 @@ "arn": "arn:aws:iam::aws:policy/AWSAuditManagerAdministratorAccess", "createdate": "2024-05-15T23:46:15+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "auditmanager:AssociateAssessmentReportEvidenceFolder", @@ -59335,7 +59335,7 @@ ], "malformed": false, "name": "AWSSupplyChainFederationAdminAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -61350,7 +61350,7 @@ "arn": "arn:aws:iam::aws:policy/AWSProtonFullAccess", "createdate": "2024-06-06T18:29:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "proton:AcceptEnvironmentAccountConnection", @@ -82399,7 +82399,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonLookoutEquipmentFullAccess", "createdate": "2021-11-24T21:00:13+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "lookoutequipment:CreateDataset", @@ -83440,7 +83440,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceLinkedRolePolicyForBackup", "createdate": "2024-05-17T17:12:59+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "elasticfilesystem:Backup", @@ -83521,7 +83521,7 @@ ], "malformed": false, "name": "AWSBackupServiceLinkedRolePolicyForBackup", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -83882,7 +83882,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy", "createdate": "2024-04-24T19:49:55+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "ec2:DescribeAvailabilityZones", @@ -95944,7 +95944,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEC2Access", "createdate": "2023-11-27T15:08:12+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "ec2:RebootInstances", @@ -95960,7 +95960,7 @@ ], "malformed": false, "name": "AWSFaultInjectionSimulatorEC2Access", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -96524,7 +96524,7 @@ "arn": "arn:aws:iam::aws:policy/AWSBackupFullAccess", "createdate": "2023-11-27T17:33:10+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "backup:CancelLegalHold", @@ -97242,7 +97242,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForImageBuilder", "createdate": "2023-10-19T21:30:10+00:00", "credentials_exposure": true, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "ec2:RunInstances", @@ -123692,7 +123692,7 @@ "arn": null, "createdate": "2019-03-11T22:18:12Z", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": true, "effective_action_names": [ "backup:GetBackupPlan", @@ -125262,7 +125262,7 @@ ], "malformed": false, "name": "AmazonDataZoneSageMakerManageAccessRolePolicy", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -136542,7 +136542,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/ROSANodePoolManagementPolicy", "createdate": "2024-05-02T14:01:47+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "ec2:DescribeDhcpOptions", @@ -142666,7 +142666,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy", "createdate": "2024-01-25T22:24:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "ec2:DescribeInstances", @@ -142698,7 +142698,7 @@ ], "malformed": false, "name": "AmazonGuardDutyMalwareProtectionServiceRolePolicy", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -143095,7 +143095,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonAppFlowFullAccess", "createdate": "2022-02-28T23:11:23+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "appflow:CancelFlowExecutions", @@ -143146,7 +143146,7 @@ ], "malformed": false, "name": "AmazonAppFlowFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -144109,7 +144109,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonTimestreamConsoleFullAccess", "createdate": "2022-02-01T21:37:31+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "effective_action_names": [ "timestream:CancelQuery", @@ -144168,7 +144168,7 @@ ], "malformed": false, "name": "AmazonTimestreamConsoleFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": false, @@ -148622,7 +148622,7 @@ "arn": null, "createdate": "2019-03-11T22:14:30Z", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": true, "effective_action_names": [ "backup:CancelLegalHold", diff --git a/aws/managedpolicies/AWSAuditManagerAdministratorAccess.json b/aws/managedpolicies/AWSAuditManagerAdministratorAccess.json index 26ec70195..91ea83a1a 100644 --- a/aws/managedpolicies/AWSAuditManagerAdministratorAccess.json +++ b/aws/managedpolicies/AWSAuditManagerAdministratorAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AWSAuditManagerAdministratorAccess", "createdate": "2024-05-15T23:46:15+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -1045,9 +1045,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSBackupAdminPolicy.json b/aws/managedpolicies/AWSBackupAdminPolicy.json index fae95a760..65775b6fa 100644 --- a/aws/managedpolicies/AWSBackupAdminPolicy.json +++ b/aws/managedpolicies/AWSBackupAdminPolicy.json @@ -9,7 +9,7 @@ "arn": null, "createdate": "2019-03-11T22:14:30Z", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": true, "document": { "Statement": [ @@ -1568,9 +1568,9 @@ "action": "kms:CreateGrant", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSBackupFullAccess.json b/aws/managedpolicies/AWSBackupFullAccess.json index f5e1b1093..a48791e1f 100644 --- a/aws/managedpolicies/AWSBackupFullAccess.json +++ b/aws/managedpolicies/AWSBackupFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AWSBackupFullAccess", "createdate": "2023-11-27T17:33:10+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -2125,9 +2125,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSBackupOperatorPolicy.json b/aws/managedpolicies/AWSBackupOperatorPolicy.json index 5bb6c16b2..1cf54da65 100644 --- a/aws/managedpolicies/AWSBackupOperatorPolicy.json +++ b/aws/managedpolicies/AWSBackupOperatorPolicy.json @@ -8,7 +8,7 @@ "arn": null, "createdate": "2019-03-11T22:18:12Z", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": true, "document": { "Statement": [ @@ -997,9 +997,9 @@ "action": "kms:CreateGrant", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSBackupServiceLinkedRolePolicyForBackup.json b/aws/managedpolicies/AWSBackupServiceLinkedRolePolicyForBackup.json index 759c4d11a..125e1ab4c 100644 --- a/aws/managedpolicies/AWSBackupServiceLinkedRolePolicyForBackup.json +++ b/aws/managedpolicies/AWSBackupServiceLinkedRolePolicyForBackup.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceLinkedRolePolicyForBackup", "createdate": "2024-05-17T17:12:59+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -828,9 +828,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -1200,7 +1200,7 @@ ], "malformed": false, "name": "AWSBackupServiceLinkedRolePolicyForBackup", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AWSBackupServiceRolePolicyForBackup.json b/aws/managedpolicies/AWSBackupServiceRolePolicyForBackup.json index 5f5c9e3a8..54cb2f5da 100644 --- a/aws/managedpolicies/AWSBackupServiceRolePolicyForBackup.json +++ b/aws/managedpolicies/AWSBackupServiceRolePolicyForBackup.json @@ -1099,9 +1099,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -1557,7 +1557,7 @@ ], "malformed": false, "name": "AWSBackupServiceRolePolicyForBackup", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AWSBackupServiceRolePolicyForRestores.json b/aws/managedpolicies/AWSBackupServiceRolePolicyForRestores.json index 201246d0d..fa4f69d01 100644 --- a/aws/managedpolicies/AWSBackupServiceRolePolicyForRestores.json +++ b/aws/managedpolicies/AWSBackupServiceRolePolicyForRestores.json @@ -1066,9 +1066,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -1547,7 +1547,7 @@ ], "malformed": false, "name": "AWSBackupServiceRolePolicyForRestores", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AWSFaultInjectionSimulatorEC2Access.json b/aws/managedpolicies/AWSFaultInjectionSimulatorEC2Access.json index 3d932c101..04b0c3e87 100644 --- a/aws/managedpolicies/AWSFaultInjectionSimulatorEC2Access.json +++ b/aws/managedpolicies/AWSFaultInjectionSimulatorEC2Access.json @@ -7,7 +7,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEC2Access", "createdate": "2023-11-27T15:08:12+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -135,9 +135,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -183,7 +183,7 @@ ], "malformed": false, "name": "AWSFaultInjectionSimulatorEC2Access", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AWSProtonFullAccess.json b/aws/managedpolicies/AWSProtonFullAccess.json index a266e193a..f880c1f4b 100644 --- a/aws/managedpolicies/AWSProtonFullAccess.json +++ b/aws/managedpolicies/AWSProtonFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AWSProtonFullAccess", "createdate": "2024-06-06T18:29:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -1248,9 +1248,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSRefactoringToolkitFullAccess.json b/aws/managedpolicies/AWSRefactoringToolkitFullAccess.json index b764e11f5..08cc4c2eb 100644 --- a/aws/managedpolicies/AWSRefactoringToolkitFullAccess.json +++ b/aws/managedpolicies/AWSRefactoringToolkitFullAccess.json @@ -2561,9 +2561,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true } ], diff --git a/aws/managedpolicies/AWSServiceRoleForImageBuilder.json b/aws/managedpolicies/AWSServiceRoleForImageBuilder.json index fbef244c6..c4a9cd5bf 100644 --- a/aws/managedpolicies/AWSServiceRoleForImageBuilder.json +++ b/aws/managedpolicies/AWSServiceRoleForImageBuilder.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForImageBuilder", "createdate": "2023-10-19T21:30:10+00:00", "credentials_exposure": true, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -1079,9 +1079,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AWSSupplyChainFederationAdminAccess.json b/aws/managedpolicies/AWSSupplyChainFederationAdminAccess.json index b9d0bebb8..a322f3afc 100644 --- a/aws/managedpolicies/AWSSupplyChainFederationAdminAccess.json +++ b/aws/managedpolicies/AWSSupplyChainFederationAdminAccess.json @@ -1072,15 +1072,15 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true } ], "malformed": false, "name": "AWSSupplyChainFederationAdminAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AdministratorAccess.json b/aws/managedpolicies/AdministratorAccess.json index 168c49104..8ef923cfa 100644 --- a/aws/managedpolicies/AdministratorAccess.json +++ b/aws/managedpolicies/AdministratorAccess.json @@ -94190,9 +94190,9 @@ "action": "*", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonAppFlowFullAccess.json b/aws/managedpolicies/AmazonAppFlowFullAccess.json index 77155fb5f..7bb81407a 100644 --- a/aws/managedpolicies/AmazonAppFlowFullAccess.json +++ b/aws/managedpolicies/AmazonAppFlowFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonAppFlowFullAccess", "createdate": "2022-02-28T23:11:23+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -496,9 +496,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -616,7 +616,7 @@ ], "malformed": false, "name": "AmazonAppFlowFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AmazonConnectFullAccess.json b/aws/managedpolicies/AmazonConnectFullAccess.json index b8dd5b064..2e6e5f472 100644 --- a/aws/managedpolicies/AmazonConnectFullAccess.json +++ b/aws/managedpolicies/AmazonConnectFullAccess.json @@ -2808,9 +2808,9 @@ "action": "kms:CreateGrant", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonDataZoneSageMakerManageAccessRolePolicy.json b/aws/managedpolicies/AmazonDataZoneSageMakerManageAccessRolePolicy.json index 64e79a403..5bd494a86 100644 --- a/aws/managedpolicies/AmazonDataZoneSageMakerManageAccessRolePolicy.json +++ b/aws/managedpolicies/AmazonDataZoneSageMakerManageAccessRolePolicy.json @@ -580,15 +580,15 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true } ], "malformed": false, "name": "AmazonDataZoneSageMakerManageAccessRolePolicy", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AmazonDocDBElasticFullAccess.json b/aws/managedpolicies/AmazonDocDBElasticFullAccess.json index d981c1281..f1b1da13f 100644 --- a/aws/managedpolicies/AmazonDocDBElasticFullAccess.json +++ b/aws/managedpolicies/AmazonDocDBElasticFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonDocDBElasticFullAccess", "createdate": "2023-06-21T18:05:47+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -473,9 +473,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonGuardDutyMalwareProtectionServiceRolePolicy.json b/aws/managedpolicies/AmazonGuardDutyMalwareProtectionServiceRolePolicy.json index 9b120eb3c..9bea211b2 100644 --- a/aws/managedpolicies/AmazonGuardDutyMalwareProtectionServiceRolePolicy.json +++ b/aws/managedpolicies/AmazonGuardDutyMalwareProtectionServiceRolePolicy.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy", "createdate": "2024-01-25T22:24:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -414,9 +414,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -560,7 +560,7 @@ ], "malformed": false, "name": "AmazonGuardDutyMalwareProtectionServiceRolePolicy", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AmazonLookoutEquipmentFullAccess.json b/aws/managedpolicies/AmazonLookoutEquipmentFullAccess.json index 713ffa2a8..d9b77edbb 100644 --- a/aws/managedpolicies/AmazonLookoutEquipmentFullAccess.json +++ b/aws/managedpolicies/AmazonLookoutEquipmentFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonLookoutEquipmentFullAccess", "createdate": "2021-11-24T21:00:13+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -573,9 +573,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonMSKFullAccess.json b/aws/managedpolicies/AmazonMSKFullAccess.json index f6fb400fb..c1baa3268 100644 --- a/aws/managedpolicies/AmazonMSKFullAccess.json +++ b/aws/managedpolicies/AmazonMSKFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonMSKFullAccess", "createdate": "2023-10-18T11:33:13+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -728,9 +728,9 @@ "action": "kms:CreateGrant", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonMonitronFullAccess.json b/aws/managedpolicies/AmazonMonitronFullAccess.json index a67723dfb..7e86f3f70 100644 --- a/aws/managedpolicies/AmazonMonitronFullAccess.json +++ b/aws/managedpolicies/AmazonMonitronFullAccess.json @@ -329,9 +329,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonSageMakerModelRegistryFullAccess.json b/aws/managedpolicies/AmazonSageMakerModelRegistryFullAccess.json index 700e192d6..b24e3a05e 100644 --- a/aws/managedpolicies/AmazonSageMakerModelRegistryFullAccess.json +++ b/aws/managedpolicies/AmazonSageMakerModelRegistryFullAccess.json @@ -545,9 +545,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonSecurityLakeAdministrator.json b/aws/managedpolicies/AmazonSecurityLakeAdministrator.json index 7065f0414..6ed1f89fa 100644 --- a/aws/managedpolicies/AmazonSecurityLakeAdministrator.json +++ b/aws/managedpolicies/AmazonSecurityLakeAdministrator.json @@ -1571,9 +1571,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/AmazonTimestreamConsoleFullAccess.json b/aws/managedpolicies/AmazonTimestreamConsoleFullAccess.json index b20de7f8c..762684404 100644 --- a/aws/managedpolicies/AmazonTimestreamConsoleFullAccess.json +++ b/aws/managedpolicies/AmazonTimestreamConsoleFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonTimestreamConsoleFullAccess", "createdate": "2022-02-01T21:37:31+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -496,9 +496,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -624,7 +624,7 @@ ], "malformed": false, "name": "AmazonTimestreamConsoleFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/AmazonTimestreamFullAccess.json b/aws/managedpolicies/AmazonTimestreamFullAccess.json index 19d5bbca3..4e58939eb 100644 --- a/aws/managedpolicies/AmazonTimestreamFullAccess.json +++ b/aws/managedpolicies/AmazonTimestreamFullAccess.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/AmazonTimestreamFullAccess", "createdate": "2021-11-26T23:42:00+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -451,9 +451,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { @@ -469,7 +469,7 @@ ], "malformed": false, "name": "AmazonTimestreamFullAccess", - "privesc": false, + "privesc": true, "resource_exposure": true, "undocumented_actions": false, "unknown_actions": [], diff --git a/aws/managedpolicies/PowerUserAccess.json b/aws/managedpolicies/PowerUserAccess.json index 8010e49bd..b30ee7ca1 100644 --- a/aws/managedpolicies/PowerUserAccess.json +++ b/aws/managedpolicies/PowerUserAccess.json @@ -92335,9 +92335,9 @@ "action": "NotAction", "condition": null, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/ROSAInstallerPolicy.json b/aws/managedpolicies/ROSAInstallerPolicy.json index 79dc334fa..6ca4606f8 100644 --- a/aws/managedpolicies/ROSAInstallerPolicy.json +++ b/aws/managedpolicies/ROSAInstallerPolicy.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy", "createdate": "2024-04-24T19:49:55+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -835,9 +835,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true }, { diff --git a/aws/managedpolicies/ROSANodePoolManagementPolicy.json b/aws/managedpolicies/ROSANodePoolManagementPolicy.json index 9a26724b0..89ff33332 100644 --- a/aws/managedpolicies/ROSANodePoolManagementPolicy.json +++ b/aws/managedpolicies/ROSANodePoolManagementPolicy.json @@ -9,7 +9,7 @@ "arn": "arn:aws:iam::aws:policy/service-role/ROSANodePoolManagementPolicy", "createdate": "2024-05-02T14:01:47+00:00", "credentials_exposure": false, - "data_access": false, + "data_access": true, "deprecated": false, "document": { "Statement": [ @@ -563,9 +563,9 @@ } }, "credentials_exposure": false, - "data_access": false, + "data_access": true, "effective_action": "kms:CreateGrant", - "privesc": false, + "privesc": true, "resource_exposure": true } ], diff --git a/aws/tags.json b/aws/tags.json index facec3909..a63960883 100644 --- a/aws/tags.json +++ b/aws/tags.json @@ -121,6 +121,7 @@ "kinesis:GetRecords", "kinesisvideo:GetImages", "kinesisvideo:GetMedia", + "kms:CreateGrant", "lambda:GetFunction", "lambda:GetLayerVersion", "lightsail:GetContainerImages", @@ -180,7 +181,8 @@ "iam:ResyncMFADevice", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", - "iam:UpdateLoginProfile" + "iam:UpdateLoginProfile", + "kms:CreateGrant" ], "ResourceExposure": [ "acm-pca:CreatePermission", @@ -548,6 +550,7 @@ "kinesis:getrecords", "kinesisvideo:getimages", "kinesisvideo:getmedia", + "kms:creategrant", "lambda:getfunction", "lambda:getlayerversion", "lightsail:getcontainerimages", @@ -607,7 +610,8 @@ "iam:resyncmfadevice", "iam:setdefaultpolicyversion", "iam:updateassumerolepolicy", - "iam:updateloginprofile" + "iam:updateloginprofile", + "kms:creategrant" ], "ResourceExposure": [ "acm-pca:createpermission", @@ -1012,6 +1016,7 @@ "kinesis:GetRecords", "kinesisvideo:GetImages", "kinesisvideo:GetMedia", + "kms:CreateGrant", "lambda:GetFunction", "lambda:GetLayerVersion", "lightsail:GetContainerImages", @@ -1082,7 +1087,8 @@ "iam:ResyncMFADevice", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", - "iam:UpdateLoginProfile" + "iam:UpdateLoginProfile", + "kms:CreateGrant" ], "ResourceExposure": [ "acm-pca:CreatePermission", @@ -1541,6 +1547,7 @@ "kinesis:getrecords", "kinesisvideo:getimages", "kinesisvideo:getmedia", + "kms:creategrant", "lambda:getfunction", "lambda:getlayerversion", "lightsail:getcontainerimages", @@ -1611,7 +1618,8 @@ "iam:resyncmfadevice", "iam:setdefaultpolicyversion", "iam:updateassumerolepolicy", - "iam:updateloginprofile" + "iam:updateloginprofile", + "kms:creategrant" ], "ResourceExposure": [ "acm-pca:createpermission", diff --git a/azure/built-in-roles.json b/azure/built-in-roles.json index cf56fc87a..448b18baf 100644 --- a/azure/built-in-roles.json +++ b/azure/built-in-roles.json @@ -86080,6 +86080,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failback.", + "displayName": "Failback Workspace", + "name": "Microsoft.OperationalInsights/workspaces/failback/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace.", "displayName": "List Workspace Shared Keys", @@ -91743,6 +91750,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failover to replication location.", + "displayName": "Failover Workspace", + "name": "Microsoft.OperationalInsights/locations/workspaces/failover/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Register a subscription to a resource provider.", "displayName": "Register Subscription", @@ -269512,6 +269526,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failback.", + "displayName": "Failback Workspace", + "name": "Microsoft.OperationalInsights/workspaces/failback/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace.", "displayName": "List Workspace Shared Keys", @@ -275175,6 +275196,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failover to replication location.", + "displayName": "Failover Workspace", + "name": "Microsoft.OperationalInsights/locations/workspaces/failover/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Register a subscription to a resource provider.", "displayName": "Register Subscription", @@ -480394,6 +480422,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failback.", + "displayName": "Failback Workspace", + "name": "Microsoft.OperationalInsights/workspaces/failback/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace.", "displayName": "List Workspace Shared Keys", @@ -486057,6 +486092,13 @@ "providerDisplayName": "Azure Log Analytics", "providerName": "Microsoft.OperationalInsights" }, + { + "description": "Initiates workspace failover to replication location.", + "displayName": "Failover Workspace", + "name": "Microsoft.OperationalInsights/locations/workspaces/failover/action", + "providerDisplayName": "Azure Log Analytics", + "providerName": "Microsoft.OperationalInsights" + }, { "description": "Register a subscription to a resource provider.", "displayName": "Register Subscription", diff --git a/azure/provider-operations.json b/azure/provider-operations.json index 95c4b76b4..8bc5369e2 100644 --- a/azure/provider-operations.json +++ b/azure/provider-operations.json @@ -134981,6 +134981,14 @@ "origin": null, "properties": null }, + { + "description": "Initiates workspace failback.", + "displayName": "Failback Workspace", + "isDataAction": false, + "name": "Microsoft.OperationalInsights/workspaces/failback/action", + "origin": null, + "properties": null + }, { "description": "Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace.", "displayName": "List Workspace Shared Keys", @@ -147847,6 +147855,20 @@ "properties": null } ] + }, + { + "displayName": "Workspace", + "name": "locations/workspaces", + "operations": [ + { + "description": "Initiates workspace failover to replication location.", + "displayName": "Failover Workspace", + "isDataAction": false, + "name": "Microsoft.OperationalInsights/locations/workspaces/failover/action", + "origin": null, + "properties": null + } + ] } ], "type": "Microsoft.Authorization/providerOperations" @@ -274541,14 +274563,6 @@ "resourceTypes": [], "type": "Microsoft.Authorization/providerOperations" }, - { - "displayName": null, - "id": "/providers/Microsoft.Authorization/providerOperations/Microsoft.CloudDevicePlatform", - "name": "Microsoft.CloudDevicePlatform", - "operations": [], - "resourceTypes": [], - "type": "Microsoft.Authorization/providerOperations" - }, { "displayName": null, "id": "/providers/Microsoft.Authorization/providerOperations/Microsoft.SustainabilityServices", diff --git a/gcp/map.json b/gcp/map.json index 349545e73..eefc1fd7b 100644 --- a/gcp/map.json +++ b/gcp/map.json @@ -60598,8 +60598,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.services.enable", @@ -60781,8 +60781,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "name": "serviceusage.quotas.get", "parameterName": "name", @@ -60795,8 +60795,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.quotas.get", @@ -60810,8 +60810,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.services.disable", @@ -60825,8 +60825,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.services.enable", @@ -60841,8 +60841,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.services.get", @@ -60856,8 +60856,8 @@ "permissions": [ { "discoveryMethodologies": [ - "restcrawlv1", - "fuzzv1" + "fuzzv1", + "restcrawlv1" ], "lowConfidence": true, "name": "serviceusage.services.list", diff --git a/gcp/predefined_roles.json b/gcp/predefined_roles.json index 35b0b857c..6944d951b 100644 --- a/gcp/predefined_roles.json +++ b/gcp/predefined_roles.json @@ -290,6 +290,7 @@ "description": "Vertex AI Service Agent used for tuning in user project.", "etag": "AA==", "has_dataaccess": true, + "has_undocumented": true, "name": "roles/aiplatform.tuningServiceAgent", "stage": "GA", "title": "Vertex AI Tuning Service Agent" @@ -3345,6 +3346,7 @@ { "description": "Permissions to use services from a load balancer in other projects.", "etag": "AA==", + "has_undocumented": true, "name": "roles/compute.loadBalancerServiceUser", "stage": "GA", "title": "Compute Load Balancer Services User" @@ -10117,6 +10119,7 @@ "etag": "AA==", "has_dataaccess": true, "has_privesc": true, + "has_undocumented": true, "name": "roles/run.serviceAgent", "stage": "GA", "title": "Cloud Run Service Agent" @@ -10186,6 +10189,7 @@ "description": "Service agent used by SecLM to access resources used by SecLM Workbenches.", "etag": "AA==", "has_dataaccess": true, + "has_undocumented": true, "name": "roles/seclm.serviceAgent", "stage": "GA", "title": "SecLM Service Agent" @@ -10790,6 +10794,7 @@ "etag": "AA==", "has_dataaccess": true, "has_privesc": true, + "has_undocumented": true, "name": "roles/serverless.serviceAgent", "stage": "GA", "title": "Cloud Run Service Agent" diff --git a/gcp/role_permissions.json b/gcp/role_permissions.json index 9d21f1299..dffc5314e 100644 --- a/gcp/role_permissions.json +++ b/gcp/role_permissions.json @@ -10790,6 +10790,11 @@ "name": "Owner", "undocumented": false }, + { + "id": "roles/seclm.serviceAgent", + "name": "SecLM Service Agent", + "undocumented": true + }, { "id": "roles/viewer", "name": "Viewer", @@ -17762,6 +17767,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -17799,6 +17809,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -17836,6 +17851,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -17873,6 +17893,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -17920,6 +17945,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -17977,6 +18007,11 @@ "name": "Vertex AI Service Agent", "undocumented": false }, + { + "id": "roles/aiplatform.tuningServiceAgent", + "name": "Vertex AI Tuning Service Agent", + "undocumented": true + }, { "id": "roles/aiplatform.user", "name": "Vertex AI User", @@ -78525,6 +78560,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.companions.generateCode": [ @@ -78542,6 +78582,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.entitlements.get": [ @@ -78621,6 +78666,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.instances.completeTask": [ @@ -78638,6 +78688,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.instances.generateCode": [ @@ -78655,6 +78710,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.instances.generateText": [ @@ -78672,6 +78732,11 @@ "id": "roles/owner", "name": "Owner", "undocumented": false + }, + { + "id": "roles/viewer", + "name": "Viewer", + "undocumented": true } ], "cloudaicompanion.operations.cancel": [ @@ -132594,6 +132659,11 @@ "name": "Compute Load Balancer Admin", "undocumented": false }, + { + "id": "roles/compute.loadBalancerServiceUser", + "name": "Compute Load Balancer Services User", + "undocumented": true + }, { "id": "roles/compute.networkAdmin", "name": "Compute Network Admin", @@ -132818,6 +132888,11 @@ "name": "Compute Load Balancer Admin", "undocumented": false }, + { + "id": "roles/compute.loadBalancerServiceUser", + "name": "Compute Load Balancer Services User", + "undocumented": true + }, { "id": "roles/compute.networkAdmin", "name": "Compute Network Admin", @@ -132955,6 +133030,11 @@ "name": "Compute Load Balancer Admin", "undocumented": false }, + { + "id": "roles/compute.loadBalancerServiceUser", + "name": "Compute Load Balancer Services User", + "undocumented": true + }, { "id": "roles/compute.networkAdmin", "name": "Compute Network Admin", @@ -133097,6 +133177,11 @@ "name": "Compute Load Balancer Admin", "undocumented": false }, + { + "id": "roles/compute.loadBalancerServiceUser", + "name": "Compute Load Balancer Services User", + "undocumented": true + }, { "id": "roles/compute.networkAdmin", "name": "Compute Network Admin", @@ -133395,6 +133480,11 @@ "name": "Compute Load Balancer Admin", "undocumented": false }, + { + "id": "roles/compute.loadBalancerServiceUser", + "name": "Compute Load Balancer Services User", + "undocumented": true + }, { "id": "roles/compute.networkAdmin", "name": "Compute Network Admin", @@ -181384,6 +181474,16 @@ "name": "Owner", "undocumented": false }, + { + "id": "roles/run.serviceAgent", + "name": "Cloud Run Service Agent", + "undocumented": true + }, + { + "id": "roles/serverless.serviceAgent", + "name": "Cloud Run Service Agent", + "undocumented": true + }, { "id": "roles/servicenetworking.serviceAgent", "name": "Service Networking Service Agent", @@ -210379,6 +210479,16 @@ "name": "Owner", "undocumented": false }, + { + "id": "roles/run.serviceAgent", + "name": "Cloud Run Service Agent", + "undocumented": true + }, + { + "id": "roles/serverless.serviceAgent", + "name": "Cloud Run Service Agent", + "undocumented": true + }, { "id": "roles/tpu.xpnAgent", "name": "TPU Shared VPC Agent", @@ -290152,6 +290262,11 @@ "name": "Owner", "undocumented": false }, + { + "id": "roles/seclm.serviceAgent", + "name": "SecLM Service Agent", + "undocumented": true + }, { "id": "roles/viewer", "name": "Viewer", @@ -437798,6 +437913,11 @@ "name": "Consumer Procurement Administrator", "undocumented": false }, + { + "id": "roles/edgecontainer.clusterServiceAgent", + "name": "Edge Container Cluster Service Agent", + "undocumented": true + }, { "id": "roles/editor", "name": "Editor", diff --git a/gcp/roles/aiplatform.tuningServiceAgent.json b/gcp/roles/aiplatform.tuningServiceAgent.json index b401f07cb..1c6b2d7be 100644 --- a/gcp/roles/aiplatform.tuningServiceAgent.json +++ b/gcp/roles/aiplatform.tuningServiceAgent.json @@ -62,6 +62,12 @@ "aiplatform.tensorboards.get", "aiplatform.tensorboards.list", "aiplatform.tensorboards.update", + "aiplatform.tuningJobs.cancel", + "aiplatform.tuningJobs.create", + "aiplatform.tuningJobs.delete", + "aiplatform.tuningJobs.get", + "aiplatform.tuningJobs.list", + "aiplatform.tuningJobs.vertexTune", "resourcemanager.projects.get", "storage.buckets.create", "storage.buckets.get", diff --git a/gcp/roles/compute.loadBalancerServiceUser.json b/gcp/roles/compute.loadBalancerServiceUser.json index 7c492cb04..f8e36699c 100644 --- a/gcp/roles/compute.loadBalancerServiceUser.json +++ b/gcp/roles/compute.loadBalancerServiceUser.json @@ -2,6 +2,11 @@ "description": "Permissions to use services from a load balancer in other projects.", "etag": "AA==", "includedPermissions": [ + "compute.backendBuckets.get", + "compute.backendBuckets.list", + "compute.backendBuckets.listEffectiveTags", + "compute.backendBuckets.listTagBindings", + "compute.backendBuckets.use", "compute.backendServices.get", "compute.backendServices.list", "compute.backendServices.listEffectiveTags", diff --git a/gcp/roles/edgecontainer.clusterServiceAgent.json b/gcp/roles/edgecontainer.clusterServiceAgent.json index b67617182..f2042eba0 100644 --- a/gcp/roles/edgecontainer.clusterServiceAgent.json +++ b/gcp/roles/edgecontainer.clusterServiceAgent.json @@ -62,6 +62,7 @@ "resourcemanager.projects.get", "resourcemanager.projects.list", "serviceusage.quotas.get", + "serviceusage.services.enable", "serviceusage.services.get", "serviceusage.services.list", "stackdriver.projects.get", diff --git a/gcp/roles/run.serviceAgent.json b/gcp/roles/run.serviceAgent.json index 003cdd8a5..a02d791d9 100644 --- a/gcp/roles/run.serviceAgent.json +++ b/gcp/roles/run.serviceAgent.json @@ -41,8 +41,10 @@ "compute.globalOperations.get", "compute.networks.access", "compute.networks.get", + "compute.regionOperations.get", "compute.subnetworks.get", "compute.subnetworks.use", + "compute.zoneOperations.get", "iam.serviceAccounts.actAs", "iam.serviceAccounts.getAccessToken", "iam.serviceAccounts.getOpenIdToken", diff --git a/gcp/roles/seclm.serviceAgent.json b/gcp/roles/seclm.serviceAgent.json index 1cb34252e..01c0b3d0c 100644 --- a/gcp/roles/seclm.serviceAgent.json +++ b/gcp/roles/seclm.serviceAgent.json @@ -2,9 +2,11 @@ "description": "Service agent used by SecLM to access resources used by SecLM Workbenches.", "etag": "AA==", "includedPermissions": [ + "aiplatform.locations.get", "discoveryengine.dataStores.completeQuery", "discoveryengine.dataStores.get", "discoveryengine.dataStores.list", + "discoveryengine.servingConfigs.search", "storage.buckets.get", "storage.buckets.list", "storage.objects.get", diff --git a/gcp/roles/serverless.serviceAgent.json b/gcp/roles/serverless.serviceAgent.json index 5e798ea03..34b8d0eb3 100644 --- a/gcp/roles/serverless.serviceAgent.json +++ b/gcp/roles/serverless.serviceAgent.json @@ -40,8 +40,10 @@ "compute.globalOperations.get", "compute.networks.access", "compute.networks.get", + "compute.regionOperations.get", "compute.subnetworks.get", "compute.subnetworks.use", + "compute.zoneOperations.get", "iam.serviceAccounts.actAs", "iam.serviceAccounts.getAccessToken", "iam.serviceAccounts.getOpenIdToken", diff --git a/gcp/roles/viewer.json b/gcp/roles/viewer.json index 798c71f49..0c99a18f7 100644 --- a/gcp/roles/viewer.json +++ b/gcp/roles/viewer.json @@ -927,7 +927,13 @@ "cloud.locations.list", "cloudaicompanion.codeRepositoryIndexes.get", "cloudaicompanion.codeRepositoryIndexes.list", + "cloudaicompanion.companions.generateChat", + "cloudaicompanion.companions.generateCode", "cloudaicompanion.entitlements.get", + "cloudaicompanion.instances.completeCode", + "cloudaicompanion.instances.completeTask", + "cloudaicompanion.instances.generateCode", + "cloudaicompanion.instances.generateText", "cloudaicompanion.operations.get", "cloudaicompanion.operations.list", "cloudaicompanion.repositoryGroups.get", diff --git a/gcp/tags.json b/gcp/tags.json index b306bf753..e9ada9d3b 100644 --- a/gcp/tags.json +++ b/gcp/tags.json @@ -1,137 +1,137 @@ { "iam": { "CredentialExposure": [ + "cloudfunctions.functions.sourceCodeSet", + "iam.serviceAccountKeys.create", + "cloudfunctions.functions.create", + "compute.instances.osAdminLogin", "bigquery.connections.get", "cloudfunctions.functions.update", - "compute.instances.osAdminLogin", - "compute.instances.create", - "cloudfunctions.functions.create", - "cloudfunctions.functions.sourceCodeSet", - "iam.serviceAccountKeys.create" + "compute.instances.create" ], "DataAccess": [ - "container.deployments.update", + "container.deployments.create", + "container.services.proxy", + "storage.objects.get", + "bigquery.tables.export", + "compute.instances.getScreenshot", + "container.jobs.update", "compute.instances.getGuestAttributes", "compute.instances.osAdminLogin", - "compute.instances.getSerialPortOutput", - "cloudfunctions.functions.call", - "appengine.memcache.list", - "container.statefulSets.create", - "bigquery.tables.export", - "bigquery.tables.getData", - "container.statefulSets.update", "container.replicaSets.create", + "container.statefulSets.update", "cloudfunctions.functions.invoke", - "datastore.entities.get", - "compute.instances.osLogin", - "pubsub.snapshots.seek", - "container.jobs.update", - "bigquery.connections.use", - "bigquery.models.export", - "storage.objects.get", - "container.services.proxy", - "appengine.memcache.getKey", "cloudfunctions.functions.sourceCodeSet", + "container.statefulSets.create", + "bigquery.tables.getData", + "cloudfunctions.functions.call", + "appengine.memcache.list", + "datastore.entities.get", + "bigquery.rowAccessPolicies.getFilteredData", + "compute.instances.getSerialPortOutput", + "bigquery.models.getData", + "cloudfunctions.functions.create", + "pubsub.topics.attachSubscription", "pubsub.subscriptions.consume", "compute.images.create", - "cloudfunctions.functions.update", "appengine.memcache.get", - "container.pods.create", - "pubsub.topics.attachSubscription", - "bigquery.rowAccessPolicies.overrideTimeTravelRestrictions", "appengine.instances.enableDebug", - "bigquery.rowAccessPolicies.getFilteredData", - "cloudfunctions.functions.create", - "container.jobs.create", + "pubsub.snapshots.seek", + "bigquery.models.export", "container.replicaSets.update", - "bigquery.models.getData", - "compute.instances.getScreenshot", - "container.deployments.create" + "bigquery.rowAccessPolicies.overrideTimeTravelRestrictions", + "container.deployments.update", + "compute.instances.osLogin", + "container.jobs.create", + "cloudfunctions.functions.update", + "appengine.memcache.getKey", + "container.pods.create", + "bigquery.connections.use" ], "PrivEsc": [ - "container.clusterRoles.bind", - "compute.backendServices.setIamPolicy", - "storage.objects.setIamPolicy", - "iam.serviceAccounts.getAccessToken", - "compute.instances.updateNetworkInterface", - "bigquery.tables.updateTag", - "compute.instances.useReadOnly", - "pubsub.topics.updateTag", - "container.clusters.deleteTagBinding", - "compute.disks.setIamPolicy", + "container.nodes.proxy", + "storage.buckets.deleteTagBinding", "container.roleBindings.update", - "bigquery.dataPolicies.setIamPolicy", - "container.roles.escalate", - "bigquery.datasets.createTagBinding", - "resourcemanager.tagkeys.setIamPolicy", - "cloudbuild.connections.setIamPolicy", - "container.clusterRoles.escalate", - "compute.instances.deleteTagBinding", - "bigquery.tables.setIamPolicy", + "bigquery.datasets.deleteTagBinding", + "compute.disks.setIamPolicy", + "container.roles.bind", "iam.serviceAccounts.signJwt", - "compute.globalNetworkEndpointGroups.setIamPolicy", - "bigquery.connections.setIamPolicy", - "pubsub.topics.setIamPolicy", - "domains.registrations.deleteTagBinding", - "container.nodes.proxy", - "dns.policies.setIamPolicy", - "bigquery.datasets.updateTag", - "compute.backendBuckets.setSecurityPolicy", + "compute.backendServices.setSecurityPolicy", + "compute.backendServices.addSignedUrlKey", "container.serviceAccounts.createToken", + "container.clusters.deleteTagBinding", + "compute.backendBuckets.setIamPolicy", + "bigquery.datasets.setIamPolicy", + "container.clusterRoles.escalate", + "iam.serviceAccounts.implicitDelegation", + "domains.registrations.setIamPolicy", + "compute.globalNetworkEndpointGroups.setIamPolicy", + "iam.serviceAccounts.signBlob", "compute.instances.use", - "billing.accounts.setIamPolicy", - "compute.instances.addAccessConfig", - "compute.images.createTagBinding", - "cloudfunctions.functions.setIamPolicy", + "compute.backendBuckets.update", + "container.secrets.get", + "cloudbuild.builds.create", + "compute.instances.createTagBinding", "container.pods.exec", - "iam.serviceAccounts.implicitDelegation", + "compute.backendServices.update", + "bigquery.datasets.createTagBinding", + "bigquery.connections.setIamPolicy", + "compute.instances.useReadOnly", + "bigquery.dataPolicies.setIamPolicy", + "compute.backendServices.setIamPolicy", "container.clusters.createTagBinding", - "cloudbuild.builds.create", - "domains.registrations.createTagBinding", - "container.secrets.get", - "compute.disks.createTagBinding", - "container.roles.bind", - "storage.buckets.setIamPolicy", + "container.clusterRoleBindings.create", + "cloudbuild.connections.setIamPolicy", + "resourcemanager.projects.setIamPolicy", + "bigquery.tables.setIamPolicy", "compute.disks.deleteTagBinding", - "compute.backendBuckets.addSignedUrlKey", - "iam.serviceAccounts.getOpenIdToken", - "compute.backendServices.setSecurityPolicy", - "compute.images.setIamPolicy", - "compute.images.deleteTagBinding", + "secretmanager.secrets.setIamPolicy", "container.secrets.list", - "dns.managedZones.setIamPolicy", - "iam.serviceAccountKeys.enable", - "resourcemanager.tagvalues.setIamPolicy", - "container.roleBindings.create", - "pubsub.snapshots.setIamPolicy", - "container.clusterRoleBindings.create", + "compute.instances.deleteTagBinding", "bigquery.tables.setCategory", - "storage.buckets.deleteTagBinding", + "compute.instances.updateAccessConfig", + "compute.disks.createTagBinding", + "compute.instances.updateNetworkInterface", + "domains.registrations.createTagBinding", + "dns.policies.setIamPolicy", + "compute.images.setIamPolicy", + "resourcemanager.tagvalues.setIamPolicy", + "iam.serviceAccounts.getAccessToken", + "bigquery.tables.updateTag", + "container.roles.escalate", + "compute.images.deleteTagBinding", + "container.clusterRoles.bind", "storage.buckets.createTagBinding", - "compute.firewallPolicies.setIamPolicy", - "compute.instances.createTagBinding", - "compute.instances.setIamPolicy", + "resourcemanager.tagkeys.setIamPolicy", + "iam.serviceAccountKeys.enable", "compute.networkEndpointGroups.setIamPolicy", "bigquery.rowAccessPolicies.setIamPolicy", + "compute.firewallPolicies.setIamPolicy", + "bigquery.datasets.updateTag", + "dns.managedZones.setIamPolicy", + "pubsub.schemas.setIamPolicy", + "compute.backendBuckets.addSignedUrlKey", + "storage.buckets.setIamPolicy", + "cloudfunctions.functions.setIamPolicy", "container.clusterRoleBindings.update", - "compute.backendBuckets.setIamPolicy", - "domains.registrations.setIamPolicy", - "bigquery.datasets.setIamPolicy", - "compute.backendServices.addSignedUrlKey", - "compute.instances.updateAccessConfig", - "pubsub.subscriptions.setIamPolicy", - "resourcemanager.projects.setIamPolicy", + "pubsub.snapshots.setIamPolicy", + "domains.registrations.deleteTagBinding", "iam.serviceAccounts.actAs", + "compute.backendBuckets.setSecurityPolicy", + "billing.accounts.setIamPolicy", + "compute.instances.addAccessConfig", + "compute.images.createTagBinding", + "container.roleBindings.create", + "iam.serviceAccounts.setIamPolicy", + "pubsub.subscriptions.setIamPolicy", "container.clusterRoles.update", + "pubsub.topics.setIamPolicy", + "compute.instances.setIamPolicy", + "pubsub.topics.updateTag", + "storage.objects.setIamPolicy", + "iam.serviceAccounts.getOpenIdToken", "iam.roles.update", - "secretmanager.secrets.setIamPolicy", - "bigquery.datasets.deleteTagBinding", - "compute.backendBuckets.update", - "container.roles.update", - "iam.serviceAccounts.setIamPolicy", - "pubsub.schemas.setIamPolicy", - "iam.serviceAccounts.signBlob", - "compute.backendServices.update" + "container.roles.update" ] } } \ No newline at end of file