Refactor policies to decrease their length (#290)

* Refactor policies to decrease their length Signed-off-by: Alina Buzachis <[email protected]> * Revision Signed-off-by: Alina Buzachis <[email protected]> * Revision * Yet another revision Signed-off-by: Alina Buzachis <[email protected]> * Apply suggestions Signed-off-by: Alina Buzachis <[email protected]> * Remove duplicate Signed-off-by: Alina Buzachis <[email protected]> --------- Signed-off-by: Alina Buzachis <[email protected]>
mattclay · Aug 10, 2023 · 0f4ce9d · 0f4ce9d
1 parent 3e3591b
commit 0f4ce9d
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 194 deletions.
diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml
@@ -4,28 +4,15 @@ Statement:
   - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
-      - wafv2:ListRuleGroups
-      - wafv2:ListWebACLs
       - wafv2:AssociateWebACL
       - wafv2:DeleteRuleGroup
       - wafv2:CreateRuleGroup
       - wafv2:PutFirewallManagerRuleGroups
-      - wafv2:GetWebACLForResource
-      - wafv2:GetLoggingConfiguration
       - wafv2:DeleteWebACL
-      - wafv2:GetRateBasedStatementManagedKeys
-      - wafv2:ListLoggingConfigurations
-      - wafv2:GetIPSet
       - wafv2:CreateWebACL
-      - wafv2:ListIPSets
-      - wafv2:GetWebACL
-      - wafv2:GetRuleGroup
       - wafv2:CreateIPSet
-      - wafv2:ListAvailableManagedRuleGroups
       - wafv2:DeleteIPSet
-      - wafv2:DescribeManagedRuleGroup
       - wafv2:CheckCapacity
-      - wafv2:ListResourcesForWebACL
       - wafv2:DeleteLoggingConfiguration
       - wafv2:PutLoggingConfiguration
       - wafv2:DisassociateWebACL
@@ -40,22 +27,15 @@ Statement:
   - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
-      - inspector:ListAssessmentTargets
+      - inspector:List*
       - inspector:CreateResourceGroup
       - inspector:CreateAssessmentTarget
-      - inspector:DescribeAssessmentTargets
-      - inspector:DescribeResourceGroups
+      - inspector:Describe*
       - inspector:UpdateAssessmentTarget
       - inspector:DeleteAssessmentTarget
-      - inspector:ListAssessmentTemplates
-      - inspector:ListRulesPackages
-      - inspector:DescribeRulesPackages
       - inspector:CreateAssessmentTemplate
       - inspector:DeleteAssessmentTemplate
       - inspector:SetTagsForResource
-      - inspector:DescribeAssessmentTemplates
-      - inspector:ListTagsForResource
-      - inspector:ListEventSubscriptions
       - waf:CreateByteMatchSet
       - waf:CreateGeoMatchSet
       - waf:CreateIPSet
@@ -80,21 +60,7 @@ Statement:
       - waf:DeleteSqlInjectionMatchSet
       - waf:DeleteWebACL
       - waf:DeleteXssMatchSet
-      - waf:GetByteMatchSet
-      - waf:GetChangeToken
-      - waf:GetChangeTokenStatus
-      - waf:GetGeoMatchSet
-      - waf:GetIPSet
-      - waf:GetRateBasedRule
-      - waf:GetRateBasedRuleManagedKeys
-      - waf:GetRegexMatchSet
-      - waf:GetRegexPatternSet
-      - waf:GetRule
-      - waf:GetRuleGroup
-      - waf:GetSizeConstraintSet
-      - waf:GetSqlInjectionMatchSet
-      - waf:GetWebACL
-      - waf:GetXssMatchSet
+      - waf:Get*
       - waf:List*
       - waf:TagResource
       - waf:UntagResource
@@ -109,7 +75,9 @@ Statement:
       - waf:UpdateSqlInjectionMatchSet
       - waf:UpdateWebACL
       - waf:UpdateXssMatchSet
-      - wafv2:ListTagsForResource
+      - wafv2:Describe*
+      - wafv2:Get*
+      - wafv2:List*
       - wafv2:TagResource
       - wafv2:UntagResource
     Resource: "*"

diff --git a/aws/policy/application-services.yaml b/aws/policy/application-services.yaml
@@ -9,47 +9,41 @@ Statement:
       - cloudformation:CancelResourceRequest
       - cloudformation:CreateResource
       - cloudformation:DeleteResource
-      - cloudformation:DescribeStacks
-      - cloudformation:DescribeType
-      - cloudformation:GetResource
-      - cloudformation:GetResourceRequestStatus
+      - cloudformation:Describe*
+      - cloudformation:Get*
       - cloudformation:List*
       - cloudformation:UpdateResource
       ###
+      - cloudwatch:Describe*
       - codebuild:BatchGetProjects
       - codebuild:List*
+      - codecommit:Get*
       - codecommit:List*
-      - codepipeline:GetPipeline
+      - codepipeline:Get*
       - codepipeline:List*
       - ec2messages:AcknowledgeMessage
       - ec2messages:DeleteMessage
       - ec2messages:FailMessage
-      - ec2messages:GetEndpoint
-      - ec2messages:GetMessages
+      - ec2messages:Get*
       - ec2messages:SendReply
       - events:CreateRule
       - events:DeleteRule
-      - events:DescribeRule
+      - events:Describe*
       - events:List*
       - events:PutRule
       - events:PutTargets
       - events:RemoveTargets
-      - glue:GetConnections
-      - glue:GetCrawlers
-      - glue:GetJobs
-      - kinesis:DescribeStream
+      - glue:Get*
+      - kinesis:Describe*
       - kinesis:List*
-      - mq:ListBrokers
+      - mq:Describe*
+      - mq:List*
       - ses:CreateReceiptRuleSet
       - ses:DeleteIdentity
       - ses:DeleteIdentityPolicy
       - ses:DeleteReceiptRuleSet
-      - ses:DescribeActiveReceiptRuleSet
-      - ses:DescribeReceiptRuleSet
-      - ses:GetIdentityDkimAttributes
-      - ses:GetIdentityNotificationAttributes
-      - ses:GetIdentityPolicies
-      - ses:GetIdentityVerificationAttributes
+      - ses:Describe*
+      - ses:Get*
       - ses:List*
       - ses:PutIdentityPolicy
       - ses:SetActiveReceiptRuleSet
@@ -62,35 +56,32 @@ Statement:
       - ses:VerifyEmailIdentity
       - sqs:CreateQueue
       - sqs:DeleteQueue
-      - sqs:GetQueueAttributes
-      - sqs:GetQueueUrl
+      - sqs:Get*
       - sqs:List*
       - sqs:SetQueueAttributes
       - sqs:TagQueue
       - sqs:UntagQueue
       - ssm:AddTagsToResource
-      - ssm:DescribeAssociation
-      - ssm:DescribeDocument
-      - ssm:DescribeParameters
-      - ssm:GetDeployablePatchSnapshotForInstance
-      - ssm:GetDocument
-      - ssm:GetInventory
-      - ssm:GetManifest
+      - ssm:Describe*
+      - ssm:Get*
       - ssm:List*
-      - ssmmessages:CreateControlChannel
-      - ssmmessages:CreateDataChannel
-      - ssmmessages:OpenControlChannel
-      - ssmmessages:OpenDataChannel
       - ssm:PutComplianceItems
       - ssm:PutConfigurePackageResult
       - ssm:PutInventory
       - ssm:RemoveTagsFromResource
       - ssm:StartSession
-      - ssm:DescribeSessions
       - ssm:TerminateSession
       - ssm:UpdateAssociationStatus
       - ssm:UpdateInstanceAssociationStatus
       - ssm:UpdateInstanceInformation
+      - ssmmessages:CreateControlChannel
+      - ssmmessages:CreateDataChannel
+      - ssmmessages:OpenControlChannel
+      - ssmmessages:OpenDataChannel
+      - SNS:Get*
+      - SNS:List*
+      - states:Describe*
+      - states:List*
     Resource: "*"
 
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
@@ -102,65 +93,42 @@ Statement:
       - cloudformation:CreateStack
       - cloudformation:DeleteChangeSet
       - cloudformation:DeleteStack
-      - cloudformation:DescribeChangeSet
-      - cloudformation:DescribeStackEvents
-      - cloudformation:DescribeStacks
-      - cloudformation:GetStackPolicy
-      - cloudformation:GetTemplate
-      - cloudformation:List*
       - cloudformation:SetStackPolicy
       - cloudformation:UpdateStack
       - cloudformation:UpdateTerminationProtection
       - cloudwatch:DeleteAlarms
-      - cloudwatch:DescribeAlarms
       - cloudwatch:PutMetricAlarm
       - codebuild:CreateProject
       - codebuild:DeleteProject
       - codebuild:UpdateProject
       - codecommit:CreateRepository
       - codecommit:DeleteRepository
-      - codecommit:GetRepository
       - codecommit:UpdateRepositoryDescription
       - codepipeline:CreatePipeline
       - codepipeline:DeletePipeline
       - codepipeline:UpdatePipeline
       - glue:DeleteCrawler
       - glue:DeleteJob
-      - glue:GetCrawler
-      - glue:GetJob
-      - glue:GetTags
       - glue:TagResource
       - glue:UntagResource
       - glue:UpdateCrawler
       - glue:UpdateJob
       - kinesis:AddTagsToStream
-      - kinesis:List*
       - kinesis:RemoveTagsFromStream
       - kinesis:StartStreamEncryption
       - kinesis:StopStreamEncryption
-      - mq:DescribeBroker
-      - mq:DescribeBrokerEngineTypes
       - mq:CreateTags
       - SNS:CreateTopic
       - SNS:DeleteTopic
-      - SNS:GetSubscriptionAttributes
-      - SNS:GetTopicAttributes
-      - SNS:List*
       - SNS:TagResource
       - SNS:SetSubscriptionAttributes
       - SNS:SetTopicAttributes
       - SNS:Subscribe
       - SNS:Unsubscribe
       - SNS:UntagResource
       - ssm:DeleteParameter
-      - ssm:GetParameter
-      - ssm:GetParameters
-      - ssm:GetParametersByPath
       - ssm:PutParameter
       - states:DeleteStateMachine
-      - states:DescribeExecution
-      - states:DescribeStateMachine
-      - states:List*
       - states:TagResource
       - states:UntagResource
     Resource:
@@ -175,28 +143,27 @@ Statement:
       - 'arn:aws:kinesis:{{ aws_region }}:{{ aws_account_id }}:stream/*'
       - 'arn:aws:mq:{{ aws_region }}:{{ aws_account_id }}:*'
       - 'arn:aws:sns:{{ aws_region }}:{{ aws_account_id }}:*'
-      - 'arn:aws:sqs:{{ aws_region }}:{{ aws_account_id }}:*'
       - 'arn:aws:ssm:{{ aws_region }}:{{ aws_account_id }}:parameter/*'
       - 'arn:aws:ssm:{{ aws_region }}::parameter/aws/service/*'
       - 'arn:aws:states:{{ aws_region }}:{{ aws_account_id }}:*'
 
   - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
-      - states:CreateStateMachine
-      - states:StartExecution
-      - states:StopExecution
-      - states:UpdateStateMachine
-      - SNS:Publish
+      - glue:CreateCrawler
+      - glue:CreateJob
       - kinesis:CreateStream
       - kinesis:DecreaseStreamRetentionPeriod
       - kinesis:DeleteStream
       - kinesis:IncreaseStreamRetentionPeriod
       - kinesis:UpdateShardCount
       - mq:CreateBroker
       - mq:DeleteBroker
-      - glue:CreateCrawler
-      - glue:CreateJob
+      - SNS:Publish
+      - states:CreateStateMachine
+      - states:StartExecution
+      - states:StopExecution
+      - states:UpdateStateMachine
     Resource:
       - 'arn:aws:sns:{{ aws_region }}:{{ aws_account_id }}:*'
       - 'arn:aws:states:{{ aws_region }}:{{ aws_account_id }}:*'

diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml
@@ -63,11 +63,9 @@ Statement:
       - ec2:DeleteSnapshot
       - ec2:DeleteTags
       - ec2:DeregisterImage
-      - ec2:Describe*
       - ec2:DetachVolume
       - ec2:DisassociateIamInstanceProfile
-      - ec2:GetLaunchTemplateData
-      - ec2:GetInstanceUefiData
+      - ec2:Get*
       - ec2:ImportKeyPair
       - ec2:ModifyImageAttribute
       - ec2:ModifyInstanceAttribute
@@ -108,7 +106,7 @@ Statement:
     Effect: Allow
     Action:
       - autoscaling:Describe*
-      - ec2:DescribeAvailabilityZones
+      - ec2:Describe*
       - elasticloadbalancing:DeleteRule
       - elasticloadbalancing:DeleteListener
       - elasticloadbalancing:Describe*
@@ -184,6 +182,6 @@ Statement:
       - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:launchConfiguration:*'
       - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup:*'
       - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*'
-      - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:*'
       - 'arn:aws:elasticfilesystem:{{ aws_region }}:{{ aws_account_id }}:file-system/*'
       - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:targetgroup/*'
+      - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:loadbalancer/*'