|
"Sid": "AllowRequestsToAWSOwnedResources", |
|
"Effect": "Allow", |
|
"Principal": "*", |
|
"Action": [ |
|
"s3:GetObject", |
|
"s3:ListBucket" |
|
], |
|
"Resource": [ |
|
"arn:aws:s3:::packages.<region>.amazonaws.com/*", |
|
"arn:aws:s3:::repo.<region>.amazonaws.com/*", |
|
"arn:aws:s3:::amazonlinux.<region>.amazonaws.com/*", |
|
"arn:aws:s3:::amazonlinux-2-repos-<region>/*", |
|
"arn:aws:s3:::al2023-repos-<region>-de612dc2/*", |
|
"arn:aws:s3:::al2023-<region>/*", |
|
"arn:aws:s3:::repo.<region>.emr.amazonaws.com/*", |
|
"arn:aws:s3:::prod.<region>.appinfo.src/*", |
|
"arn:aws:s3:::aws-ssm-<region>/*", |
|
"arn:aws:s3:::aws-windows-downloads-<region>/*", |
|
"arn:aws:s3:::amazon-ssm-<region>/*", |
|
"arn:aws:s3:::amazon-ssm-packages-<region>/*", |
|
"arn:aws:s3:::<region>-birdwatcher-prod/*", |
|
"arn:aws:s3:::aws-ssm-distributor-file-<region>/*", |
|
"arn:aws:s3:::aws-ssm-document-attachments-<region>/*", |
|
"arn:aws:s3:::patch-baseline-snapshot-<region>/*", |
|
"arn:aws:s3:::aws-patchmanager-macos-<region>/*", |
|
"arn:aws:s3:::amazoncloudwatch-agent-<region>/*", |
|
"arn:aws:s3:::amazoncloudwatch-agent/*", |
|
"arn:aws:s3:::aws-codedeploy-<region>/*", |
|
"arn:aws:s3:::ec2imagebuilder-toe-<region>-prod/*", |
|
"arn:aws:s3:::ec2imagebuilder-managed-resources-<region>-prod/components/*", |
|
"arn:aws:s3:::prod-<region>-starport-layer-bucket/*", |
|
"arn:aws:s3:::aws-mgn-clients-<region>/*", |
|
"arn:aws:s3:::aws-mgn-clients-hashes-<region>/*", |
|
"arn:aws:s3:::aws-mgn-internal-<region>/*", |
|
"arn:aws:s3:::aws-mgn-internal-hashes-<region>/*", |
|
"arn:aws:s3:::aws-application-migration-service-<region>/*", |
|
"arn:aws:s3:::aws-application-migration-service-hashes-<region>/*", |
|
"arn:aws:s3:::aws-drs-clients-<region>/*", |
|
"arn:aws:s3:::aws-drs-clients-hashes-<region>/*", |
|
"arn:aws:s3:::aws-drs-internal-<region>/*", |
|
"arn:aws:s3:::aws-drs-internal-hashes-<region>/*", |
|
"arn:aws:s3:::aws-elastic-disaster-recovery-<region>/*", |
|
"arn:aws:s3:::aws-elastic-disaster-recovery-hashes-<region>/*", |
|
"arn:aws:s3:::cloudformation-waitcondition-<region>/*", |
|
"arn:aws:s3:::cloudformation-custom-resource-response-<RegionWithoutDashes>/*", |
|
"arn:aws:s3:::aws-ec2-enclave-certificate-<region>-prod/*", |
|
"arn:aws:s3:::assets-<CodeArtifact-Region-Account>-<region>/*", |
|
"arn:aws:s3:::elasticbeanstalk-samples-<region>/*", |
|
"arn:aws:s3:::elasticbeanstalk-platform-assets-<region>/*", |
|
"arn:aws:s3:::elasticbeanstalk-env-resources-<region>/*", |
|
"arn:aws:s3:::elasticbeanstalk-<region>/*", |
|
"arn:aws:s3:::jumpstart-cache-prod-<region>/*", |
|
"arn:aws:s3:::jumpstart-cache-prod-<region>", |
|
"arn:aws:s3:::static-<region>-prod-static-<string>/content/dependencies/*", |
|
"arn:aws:s3:::aws-neptune-notebook", |
|
"arn:aws:s3:::aws-neptune-notebook/*", |
|
"arn:aws:s3:::aws-neptune-notebook-<region>", |
|
"arn:aws:s3:::aws-neptune-notebook-<region>/*" |
|
] |
|
}, |
I noticed that
session-manager-downloadsS3 bucket is not present indata-perimeter-policy-examples/vpc_endpoint_policies/s3_endpoint_policy.json
Lines 43 to 102 in f8f53c5
In our CloudTrail NetworkActivity log analysis, I noticed that we had
GetObjectcalls to this bucket (which seems to be owned by the596930764642AWS account) which doesn't belong to our org.I found references to this domain in https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-debian-and-ubuntu.html.
Related to #49