Skip to content

Commit 896882b

Browse files
PengyuanZhaoPengyuanZhao
authored
chore(lwpreflight): update org permissions (#1750)
* chore: update permissions * chore: update permissions * chore: set default random cf_resource_prefix for AWS org config * chore: update permission * chore: update permission
1 parent e40883f commit 896882b

File tree

2 files changed

+43
-1
lines changed

2 files changed

+43
-1
lines changed

lwgenerate/aws/aws.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -975,6 +975,11 @@ func createConfig(args *GenerateAwsTfConfigurationArgs) ([]*hclwrite.Block, erro
975975
blocks := []*hclwrite.Block{}
976976

977977
if args.AwsOrganization {
978+
resourcePrefix := args.ConfigOrgCfResourcePrefix
979+
if resourcePrefix == "" {
980+
uid := uuid.New().String()[:8]
981+
resourcePrefix = fmt.Sprintf("lacework-org-config-%s", uid)
982+
}
978983
block, err := lwgenerate.NewModule(
979984
"aws_org_configuration",
980985
lwgenerate.AwsConfigOrgSource,
@@ -988,7 +993,7 @@ func createConfig(args *GenerateAwsTfConfigurationArgs) ([]*hclwrite.Block, erro
988993
"lacework_secret_key": args.ConfigOrgLWSecretKey,
989994
"organization_id": args.ConfigOrgId,
990995
"organization_unit": args.ConfigOrgUnits,
991-
"cf_resource_prefix": args.ConfigOrgCfResourcePrefix,
996+
"cf_resource_prefix": resourcePrefix,
992997
},
993998
),
994999
).ToBlock()

lwpreflight/aws/constants.go

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -395,25 +395,39 @@ var RequiredPermissions = map[IntegrationType][]string{
395395

396396
var RequiredPermissionsForOrg = map[IntegrationType][]string{
397397
Agentless: {
398+
"cloudformation:CreateStackInstances",
399+
"cloudformation:CreateStackSet",
400+
"cloudformation:DeleteStackInstances",
401+
"cloudformation:DeleteStackSet",
402+
"cloudformation:DescribeStackSet",
403+
"cloudformation:DescribeStackSetOperation",
404+
"cloudformation:ListStackInstances",
405+
"cloudformation:TagResource",
398406
"ec2:AssociateRouteTable",
399407
"ec2:AttachInternetGateway",
400408
"ec2:AuthorizeSecurityGroupEgress",
409+
"ec2:CreateFlowLogs",
401410
"ec2:CreateInternetGateway",
411+
"ec2:CreateNetworkAclEntry",
402412
"ec2:CreateRoute",
403413
"ec2:CreateRouteTable",
404414
"ec2:CreateSecurityGroup",
405415
"ec2:CreateSubnet",
406416
"ec2:CreateTags",
407417
"ec2:CreateVpc",
418+
"ec2:DeleteFlowLogs",
408419
"ec2:DeleteInternetGateway",
420+
"ec2:DeleteNetworkAclEntry",
409421
"ec2:DeleteRoute",
410422
"ec2:DeleteRouteTable",
411423
"ec2:DeleteSecurityGroup",
412424
"ec2:DeleteSubnet",
413425
"ec2:DeleteVpc",
426+
"ec2:DescribeFlowLogs",
414427
"ec2:DescribeInternetGateways",
415428
"ec2:DescribeNetworkAcls",
416429
"ec2:DescribeNetworkInterfaces",
430+
"ec2:DescribeRegions",
417431
"ec2:DescribeRouteTables",
418432
"ec2:DescribeSecurityGroupRules",
419433
"ec2:DescribeSecurityGroups",
@@ -425,6 +439,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
425439
"ec2:DetachInternetGateway",
426440
"ec2:DisassociateRouteTable",
427441
"ec2:ModifyVpcAttribute",
442+
"ec2:ReplaceNetworkAclAssociation",
428443
"ec2:RevokeSecurityGroupEgress",
429444
"ec2:RevokeSecurityGroupIngress",
430445
"ecs:CreateCluster",
@@ -436,6 +451,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
436451
"ecs:PutClusterCapacityProviders",
437452
"ecs:RegisterTaskDefinition",
438453
"ecs:StopTask",
454+
"ecs:TagResource",
439455
"events:DeleteRule",
440456
"events:DescribeRule",
441457
"events:ListTagsForResource",
@@ -466,10 +482,16 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
466482
"iam:PutRolePolicy",
467483
"iam:TagPolicy",
468484
"iam:TagRole",
485+
"logs:CreateDelivery",
486+
"logs:CreateLogDelivery",
469487
"logs:CreateLogGroup",
488+
"logs:CreateLogStream",
470489
"logs:DeleteLogGroup",
471490
"logs:DescribeLogGroups",
491+
"logs:DescribeLogStreams",
492+
"logs:ListTagsForResource",
472493
"logs:ListTagsLogGroup",
494+
"logs:PutLogEvents",
473495
"logs:PutRetentionPolicy",
474496
"organizations:DescribeAccount",
475497
"organizations:DescribeOrganization",
@@ -496,6 +518,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
496518
"s3:GetBucketWebsite",
497519
"s3:GetEncryptionConfiguration",
498520
"s3:GetLifecycleConfiguration",
521+
"s3:GetObject",
499522
"s3:GetReplicationConfiguration",
500523
"s3:ListBucket",
501524
"s3:ListBucketVersions",
@@ -512,6 +535,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
512535
"secretsmanager:GetResourcePolicy",
513536
"secretsmanager:GetSecretValue",
514537
"secretsmanager:PutSecretValue",
538+
"servicequotas:GetServiceQuota",
515539
},
516540
Config: {
517541
"cloudformation:CreateStack",
@@ -527,8 +551,12 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
527551
"cloudformation:DescribeStackSetOperation",
528552
"cloudformation:GetTemplate",
529553
"cloudformation:ListStackInstances",
554+
"cloudformation:TagResource",
555+
"ec2:DescribeRegions",
530556
"iam:AttachRolePolicy",
557+
"iam:CreatePolicy",
531558
"iam:CreateRole",
559+
"iam:DeletePolicy",
532560
"iam:DeleteRole",
533561
"iam:DeleteRolePolicy",
534562
"iam:DetachRolePolicy",
@@ -589,6 +617,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
589617
"lambda:InvokeFunction",
590618
"lambda:ListVersionsByFunction",
591619
"lambda:Removepermission",
620+
"lambda:TagResource",
592621
"organizations:DescribeAccount",
593622
"organizations:DescribeOrganization",
594623
"organizations:ListAccounts",
@@ -659,20 +688,24 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
659688
"s3:PutBucketOwnershipControls",
660689
"s3:PutBucketPolicy",
661690
"s3:PutBucketPublicAccessBlock",
691+
"s3:PutBucketTagging",
662692
"s3:PutBucketVersioning",
663693
"s3:PutEncryptionConfiguration",
664694
"secretsmanager:CreateSecret",
695+
"secretsmanager:DeleteSecret",
665696
"secretsmanager:DescribeSecret",
666697
"secretsmanager:GetResourcePolicy",
667698
"secretsmanager:GetSecretValue",
668699
"secretsmanager:PutSecretValue",
700+
"secretsmanager:TagResource",
669701
"sns:CreateTopic",
670702
"sns:DeleteTopic",
671703
"sns:GetSubscriptionAttributes",
672704
"sns:GetTopicAttributes",
673705
"sns:ListTagsForResource",
674706
"sns:SetTopicAttributes",
675707
"sns:Subscribe",
708+
"sns:TagResource",
676709
"sns:Unsubscribe",
677710
},
678711
CloudTrail: {
@@ -684,11 +717,13 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
684717
"cloudtrail:GetTrailStatus",
685718
"cloudtrail:ListTags",
686719
"cloudtrail:StartLogging",
720+
"ec2:DescribeRegions",
687721
"iam:AttachRolePolicy",
688722
"iam:CreatePolicy",
689723
"iam:CreateRole",
690724
"iam:CreateServiceLinkedRole",
691725
"iam:DeletePolicy",
726+
"iam:DeleteRole",
692727
"iam:DetachRolePolicy",
693728
"iam:GetPolicy",
694729
"iam:GetPolicyVersion",
@@ -728,6 +763,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
728763
"kms:PutKeyPolicy",
729764
"kms:RevokeGrant",
730765
"kms:ScheduleKeyDeletion",
766+
"kms:TagResource",
731767
"kms:UpdateAlias",
732768
"kms:UpdateCustomKeyStore",
733769
"kms:UpdateKeyDescription",
@@ -765,6 +801,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
765801
"s3:PutBucketOwnershipControls",
766802
"s3:PutBucketPolicy",
767803
"s3:PutBucketPublicAccessBlock",
804+
"s3:PutBucketTagging",
768805
"s3:PutBucketVersioning",
769806
"s3:PutEncryptionConfiguration",
770807
"sns:CreateTopic",

0 commit comments

Comments
 (0)