Merge pull request #11 from lacework-alliances/9-update-custom-policy-for-aws-config

fixes (#9)

Author: jbonner7

templates/lacework-aws-cfg-member.template.yml

@@ -61,37 +61,386 @@ Resources:
                   - ""
                   - - 'arn:aws:iam::'
                     - "434813966438"
-                    - :root
+                    - :role/lacework-platform
             Condition:
               StringEquals:
                 sts:ExternalId: !Join [':',[!Sub "lweid:aws:v2:${LaceworkAccount}:${AWS::AccountId}", !Join ['',["LW",!Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref AWS::StackId ] ] ] ]]]]]
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/SecurityAudit
-
   LaceworkCWSPolicy:
-    Type: AWS::IAM::Policy
+    Type: 'AWS::IAM::Policy'
     Properties:
       PolicyName: LaceworkCWSPolicy
       PolicyDocument:
-        Version: "2012-10-17"
+        Version: 2012-10-17
+        Statement:
+          - Sid: GetAccountAlias
+            Action:
+              - 'iam:ListAccountAliases'
+            Effect: Allow
+            Resource: '*'
+          - Sid: Debug
+            Action:
+              - 'cloudtrail:DescribeTrails'
+              - 'cloudtrail:GetTrailStatus'
+              - 'eks:ListTagsForResource'
+              - 's3:GetBucketPolicy'
+              - 's3:GetBucketLocation'
+              - 'sns:GetTopicAttributes'
+              - 'sns:ListSubscriptions'
+              - 'sns:ListTopics'
+            Effect: Allow
+            Resource: '*'
+          - Sid: EfsPolicies
+            Action:
+              - 'elasticfilesystem:DescribeFileSystemPolicy'
+              - 'elasticfilesystem:DescribeLifecycleConfiguration'
+              - 'elasticfilesystem:DescribeAccessPoints'
+              - 'elasticfilesystem:DescribeAccountPreferences'
+              - 'elasticfilesystem:DescribeBackupPolicy'
+              - 'elasticfilesystem:DescribeReplicationConfigurations'
+              - 'elasticfilesystem:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SagemakerPolicies
+            Action:
+              - 'sagemaker:GetLineageGroupPolicy'
+              - 'sagemaker:GetModelPackageGroupPolicy'
+            Effect: Allow
+            Resource: '*'
+          - Sid: IdentityStoreReadOnly
+            Action:
+              - 'identitystore:DescribeGroup'
+              - 'identitystore:DescribeGroupMembership'
+              - 'identitystore:DescribeUser'
+              - 'identitystore:ListGroupMemberships'
+              - 'identitystore:ListGroupMembershipsForMember'
+              - 'identitystore:ListGroups'
+              - 'identitystore:ListUsers'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SSOReadOnly
+            Action:
+              - 'sso:DescribeAccountAssignmentDeletionStatus'
+              - 'sso:DescribeInstanceAccessControlAttributeConfiguration'
+              - 'sso:GetInlinePolicyForPermissionSet'
+            Effect: Allow
+            Resource: '*'
+          - Sid: APIGATEWAY
+            Action:
+              - 'apigateway:GET'
+            Effect: Allow
+            Resource: '*'
+          - Sid: APIGATEWAYV2
+            Action:
+              - 'apigatewayv2:GET'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SNS
+            Action:
+              - 'sns:GetDataProtectionPolicy'
+              - 'sns:ListPlatformApplications'
+              - 'sns:GetSubscriptionAttributes'
+            Effect: Allow
+            Resource: '*'
+          - Sid: GLUE
+            Action:
+              - 'glue:ListWorkflows'
+              - 'glue:BatchGetWorkflows'
+              - 'glue:GetWorkflows'
+              - 'glue:GetTags'
+              - 'glue:GetTables'
+              - 'glue:GetTable'
+            Effect: Allow
+            Resource: '*'
+          - Sid: GLACIER
+            Action:
+              - 'glacier:ListTagsForVault'
+            Effect: Allow
+            Resource: '*'
+          - Sid: CODEBUILD
+            Action:
+              - 'codebuild:ListBuilds'
+              - 'codebuild:BatchGetBuilds'
+            Effect: Allow
+            Resource: '*'
+          - Sid: WAFREGIONAL
+            Action:
+              - 'waf-regional:ListRules'
+              - 'waf-regional:GetRule'
+              - 'waf-regional:ListRuleGroups'
+              - 'waf-regional:GetRuleGroup'
+              - 'waf-regional:ListActivatedRulesInRuleGroup'
+            Effect: Allow
+            Resource: '*'
+          - Sid: NETWORKFIREWALL
+            Effect: Allow
+            Action:
+              - 'network-firewall:DescribeLoggingConfiguration'
+            Resource: '*'
+          - Sid: WAFV2
+            Effect: Allow
+            Action:
+              - 'wafv2:ListWebACLs'
+              - 'wafv2:ListRegexPatternSets'
+              - 'wafv2:ListIPSets'
+            Resource:
+              - '*'
+          - Sid: STATES
+            Action:
+              - 'states:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+      Roles:
+        - !Ref LaceworkCrossAccountAccessRole
+  LaceworkCWSPolicy2:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyName: LaceworkCWSPolicy2
+      PolicyDocument:
+        Version: 2012-10-17
         Statement:
-          - Sid: GetEc2DefaultEncryption
+          - Sid: KINESISVIDEO
+            Action:
+              - 'kinesisvideo:GetSignalingChannelEndpoint'
+              - 'kinesisvideo:GetDataEndpoint'
+              - 'kinesisvideo:DescribeImageGenerationConfiguration'
+            Effect: Allow
+            Resource: '*'
+          - Sid: AMP
+            Action:
+              - 'aps:ListScrapers'
+              - 'aps:DescribeScraper'
+              - 'aps:ListWorkspaces'
+              - 'aps:DescribeAlertManagerDefinition'
+              - 'aps:DescribeLoggingConfiguration'
+              - 'aps:DescribeWorkspace'
+              - 'aps:ListRuleGroupsNamespaces'
+              - 'aps:DescribeRuleGroupsNamespace'
+              - 'aps:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: APPSTREAM
+            Action:
+              - 'appstream:Describe*'
+              - 'appstream:List*'
+            Effect: Allow
+            Resource: '*'
+          - Sid: PERSONALIZE
+            Action:
+              - 'personalize:Describe*'
+              - 'personalize:List*'
+              - 'personalize:GetSolutionMetrics'
+            Effect: Allow
+            Resource: '*'
+          - Sid: CODEARTIFACT
+            Action:
+              - 'codeartifact:ListDomains'
+              - 'codeartifact:DescribeDomain'
+              - 'codeartifact:DescribeRepository'
+              - 'codeartifact:ListPackages'
+              - 'codeartifact:GetRepositoryEndpoint'
+              - 'codeartifact:DescribePackage'
+              - 'codeartifact:ListPackageVersions'
+              - 'codeartifact:DescribePackageVersion'
+              - 'codeartifact:GetPackageVersionReadme'
+              - 'codeartifact:ListPackageVersionDependencies'
+              - 'codeartifact:ListPackageVersionAssets'
+              - 'codeartifact:GetPackageVersionAsset'
+              - 'codeartifact:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: FIS
+            Action:
+              - 'fis:ListActions'
+              - 'fis:GetAction'
+              - 'fis:ListExperimentTemplates'
+              - 'fis:GetExperimentTemplate'
+              - 'fis:ListTargetAccountConfigurations'
+              - 'fis:ListExperiments'
+              - 'fis:GetExperiment'
+              - 'fis:ListExperimentResolvedTargets'
+              - 'fis:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: MEMORYDB
+            Action:
+              - 'memorydb:DescribeMultiRegionClusters'
+              - 'memorydb:DescribeSnapshots'
+              - 'memorydb:DescribeSubnetGroups'
+              - 'memorydb:DescribeParameterGroups'
+              - 'memorydb:DescribeParameters'
+              - 'memorydb:DescribeUsers'
+              - 'memorydb:DescribeACLs'
+              - 'memorydb:DescribeServiceUpdates'
+              - 'memorydb:DescribeEngineVersions'
+              - 'memorydb:DescribeReservedNodes'
+              - 'memorydb:DescribeReservedNodesOfferings'
+              - 'memorydb:ListTags'
+              - 'memorydb:ListAllowedNodeTypeUpdates'
+              - 'memorydb:ListAllowedMultiRegionClusterUpdates'
+            Effect: Allow
+            Resource: '*'
+          - Sid: QBUSINESS
+            Action:
+              - 'qbusiness:GetApplication'
+              - 'qbusiness:GetChatControlsConfiguration'
+              - 'qbusiness:GetPolicy'
+              - 'qbusiness:ListAttachments'
+              - 'qbusiness:ListConversations'
+              - 'qbusiness:ListMessages'
+              - 'qbusiness:ListDataAccessors'
+              - 'qbusiness:GetDataAccessor'
+              - 'qbusiness:GetIndex'
+              - 'qbusiness:GetDataSource'
+              - 'qbusiness:GetPlugin'
+              - 'qbusiness:ListPluginActions'
+              - 'qbusiness:GetRetriever'
+              - 'qbusiness:GetWebExperience'
+              - 'qbusiness:ListPluginTypeMetadata'
+              - 'qbusiness:ListPluginTypeActions'
+            Effect: Allow
+            Resource: '*'
+          - Sid: QAPPS
+            Action:
+              - 'qapps:DescribeQAppPermissions'
+              - 'qapps:GetLibraryItem'
+              - 'qapps:GetQApp'
+              - 'qapps:GetQAppSession'
+              - 'qapps:GetQAppSessionMetadata'
+              - 'qapps:ListCategories'
+              - 'qapps:ListLibraryItems'
+              - 'qapps:ListQAppSessionData'
+              - 'qapps:ListQApps'
+              - 'qapps:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: QCONNECT
+            Action:
+              - 'wisdom:GetAIAgent'
+              - 'wisdom:GetAIGuardrail'
+              - 'wisdom:GetAIPrompt'
+              - 'wisdom:GetContent'
+              - 'wisdom:GetImportJob'
+              - 'wisdom:GetKnowledgeBase'
+              - 'wisdom:GetMessageTemplate'
+              - 'wisdom:GetQuickResponse'
+              - 'wisdom:ListAIAgentVersions'
+              - 'wisdom:ListAIAgents'
+              - 'wisdom:ListAIGuardrailVersions'
+              - 'wisdom:ListAIGuardrails'
+              - 'wisdom:ListAIPromptVersions'
+              - 'wisdom:ListAIPrompts'
+              - 'wisdom:ListAssistantAssociations'
+              - 'wisdom:ListAssistants'
+              - 'wisdom:ListContentAssociations'
+              - 'wisdom:ListContents'
+              - 'wisdom:ListImportJobs'
+              - 'wisdom:ListKnowledgeBases'
+              - 'wisdom:ListMessageTemplateVersions'
+              - 'wisdom:ListMessageTemplates'
+              - 'wisdom:ListQuickResponses'
+              - 'wisdom:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: RESOURCEGROUPS
+            Action:
+              - 'resource-groups:ListGroups'
+              - 'resource-groups:GetGroupQuery'
+              - 'resource-groups:GetGroupConfiguration'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SERVICECATALOGAPPREGISTRY
+            Action:
+              - 'servicecatalog:GetApplication'
+              - 'servicecatalog:ListApplications'
+              - 'servicecatalog:GetAssociatedResource'
+              - 'servicecatalog:ListAssociatedResources'
+              - 'servicecatalog:ListAssociatedAttributeGroups'
+              - 'servicecatalog:GetAttributeGroup'
+              - 'servicecatalog:ListAttributeGroups'
+              - 'servicecatalog:ListTagsForResource'
+              - 'servicecatalog:ListAttributeGroupsForApplication'
+              - 'servicecatalog:GetConfiguration'
+            Effect: Allow
+            Resource: '*'
+          - Sid: OAM
+            Action:
+              - 'oam:GetLink'
+              - 'oam:GetSink'
+              - 'oam:GetSinkPolicy'
+              - 'oam:ListAttachedLinks'
+              - 'oam:ListLinks'
+              - 'oam:ListSinks'
+            Effect: Allow
+            Resource: '*'
+          - Sid: CLOUDDIRECTORY
+            Action:
+              - 'clouddirectory:GetAppliedSchemaVersion'
+              - 'clouddirectory:GetDirectory'
+              - 'clouddirectory:GetFacet'
+              - 'clouddirectory:GetLinkAttributes'
+              - 'clouddirectory:GetObjectAttributes'
+              - 'clouddirectory:GetObjectInformation'
+              - 'clouddirectory:GetSchemaAsJson'
+              - 'clouddirectory:GetTypedLinkFacetInformation'
+              - 'clouddirectory:ListAppliedSchemaArns'
+              - 'clouddirectory:ListAttachedIndices'
+              - 'clouddirectory:ListDevelopmentSchemaArns'
+              - 'clouddirectory:ListFacetAttributes'
+              - 'clouddirectory:ListFacetNames'
+              - 'clouddirectory:ListIncomingTypedLinks'
+              - 'clouddirectory:ListIndex'
+              - 'clouddirectory:ListManagedSchemaArns'
+              - 'clouddirectory:ListObjectAttributes'
+              - 'clouddirectory:ListObjectChildren'
+              - 'clouddirectory:ListObjectParentPaths'
+              - 'clouddirectory:ListObjectParents'
+              - 'clouddirectory:ListObjectPolicies'
+              - 'clouddirectory:ListOutgoingTypedLinks'
+              - 'clouddirectory:ListPolicyAttachments'
+              - 'clouddirectory:ListPublishedSchemaArns'
+              - 'clouddirectory:ListTagsForResource'
+              - 'clouddirectory:ListTypedLinkFacetAttributes'
+              - 'clouddirectory:ListTypedLinkFacetNames'
+            Effect: Allow
+            Resource: '*'
+          - Sid: COSTOPTIMIZATIONHUB
+            Action:
+              - 'cost-optimization-hub:GetPreferences'
+              - 'cost-optimization-hub:GetRecommendation'
+              - 'cost-optimization-hub:ListEnrollmentStatuses'
+              - 'cost-optimization-hub:ListRecommendationSummaries'
+              - 'cost-optimization-hub:ListRecommendations'
+            Effect: Allow
+            Resource: '*'
+          - Sid: BUDGETS
             Action:
-              - ec2:GetEbsEncryptionByDefault
+              - 'budgets:DescribeBudgetAction'
+              - 'budgets:DescribeBudgetActionHistories'
+              - 'budgets:DescribeBudgetActionsForAccount'
+              - 'budgets:DescribeBudgetActionsForBudget'
+              - 'budgets:ListTagsForResource'
+              - 'budgets:ViewBudget'
             Effect: Allow
             Resource: '*'
-          - Sid: GetBucketPublicAccessBlock
+          - Sid: BILLINGCONSOLE
             Action:
-              - s3:GetBucketPublicAccessBlock
+              - 'aws-portal:GetConsoleActionSetEnforced'
+              - 'aws-portal:ViewAccount'
+              - 'aws-portal:ViewBilling'
+              - 'aws-portal:ViewPaymentMethods'
+              - 'aws-portal:ViewUsage'
             Effect: Allow
             Resource: '*'
       Roles:
-        - Ref: LaceworkCrossAccountAccessRole
+        - !Ref LaceworkCrossAccountAccessRole
 
   LaceworkSnsCustomResource:
     Type: Custom::LaceworkSnsCustomResource
     DependsOn:
       - LaceworkCWSPolicy
+      - LaceworkCWSPolicy2
       - LaceworkCrossAccountAccessRole
     Properties:
       Type: AWS_CFG