From cee74598ad3fa6d1c74a0f105cddd1fb70b13574 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 2 May 2024 08:09:06 +0200 Subject: [PATCH] [SSPROD-40007] Adding necessary permissions for CFT serverless scanning (#118) --- templates_cspm/CloudAgentlessRole.yaml | 3 +++ templates_cspm/OrgCloudAgentlessRole.yaml | 6 ++++++ templates_cspm_cloudlogs/FullInstall.yaml | 3 +++ templates_cspm_cloudlogs/OrgFullInstall.yaml | 6 ++++++ templates_cspm_eventbridge/FullInstall.yaml | 3 +++ templates_cspm_eventbridge/OrgFullInstall.yaml | 6 ++++++ 6 files changed, 27 insertions(+) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 1db8db6..7e68c4c 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -65,6 +65,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" Outputs: RoleARN: diff --git a/templates_cspm/OrgCloudAgentlessRole.yaml b/templates_cspm/OrgCloudAgentlessRole.yaml index 42767ba..28bc5c8 100644 --- a/templates_cspm/OrgCloudAgentlessRole.yaml +++ b/templates_cspm/OrgCloudAgentlessRole.yaml @@ -67,6 +67,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" RoleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -138,3 +141,6 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml index 106e573..c3970a0 100644 --- a/templates_cspm_cloudlogs/FullInstall.yaml +++ b/templates_cspm_cloudlogs/FullInstall.yaml @@ -78,6 +78,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml index c39b589..c01e7a1 100644 --- a/templates_cspm_cloudlogs/OrgFullInstall.yaml +++ b/templates_cspm_cloudlogs/OrgFullInstall.yaml @@ -83,6 +83,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: @@ -192,3 +195,6 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index aca0319..a2f709e 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -90,6 +90,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index e459bb4..34e2ce6 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -134,6 +134,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -247,6 +250,9 @@ Resources: - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" + - Effect: "Allow" + Action: "lambda:GetRuntimeManagementConfig" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: