Revert to more permissive policy (#109)

gi-erre · web-flow · commit 348f8d0f62f6 · 2023-11-02T14:13:08.000-07:00
diff --git a/templates_cloudlogs/CloudLogs.yaml b/templates_cloudlogs/CloudLogs.yaml
@@ -14,7 +14,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - AccountID
 
     ParameterLabels:
       CloudLogsRoleName:
@@ -25,8 +24,6 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      AccountID:
-        default: "Account ID"
 
 Parameters:
   CloudLogsRoleName:
@@ -41,9 +38,6 @@ Parameters:
   BucketARN:
     Type: String
     Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
-  AccountID:
-    Type: String
-    Description: The Identifier of your AWS account.
 
 Resources:
   CloudLogsRole:
@@ -80,7 +74,7 @@ Resources:
             Action:
               - "s3:List*"
             Resource:
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}'
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
       Roles:
         - Ref: "CloudLogsRole"
diff --git a/templates_cloudlogs/OrgCloudLogs.yaml b/templates_cloudlogs/OrgCloudLogs.yaml
@@ -16,7 +16,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - AccountID
 
     ParameterLabels:
       CSPMRoleName:
@@ -29,8 +28,6 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      AccountID:
-        default: "Account ID"
 
 Parameters:
   CSPMRoleName:
@@ -48,9 +45,6 @@ Parameters:
   BucketARN:
     Type: String
     Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
-  AccountID:
-    Type: String
-    Description: The Identifier of your AWS account.
 
 Resources:
   CloudLogsRole:
@@ -87,8 +81,8 @@ Resources:
             Action:
               - "s3:List*"
             Resource:
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}'
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
       Roles:
         - Ref: "CloudLogsRole"
   CloudAgentlessRole:
diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml
@@ -12,7 +12,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - AccountID
 
     ParameterLabels:
       CSPMRoleName:
@@ -25,8 +24,6 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      AccountID:
-        default: "Account ID"
 
 Parameters:
   CSPMRoleName:
@@ -44,9 +41,6 @@ Parameters:
   BucketARN:
     Type: String
     Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
-  AccountID:
-    Type: String
-    Description: The Identifier of your AWS account.
 
 Resources:
   CloudAgentlessRole:
@@ -100,7 +94,7 @@ Resources:
             Action:
               - "s3:List*"
             Resource:
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}'
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
       Roles:
         - Ref: "CloudLogsRole"
diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml
@@ -13,7 +13,6 @@ Metadata:
           - TrustedIdentity
           - BucketARN
           - OrganizationUnitIDs
-          - AccountID
 
     ParameterLabels:
       CSPMRoleName:
@@ -28,8 +27,6 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       OrganizationUnitIDs:
         default: "Organization Unit IDs (Sysdig use only)"
-      AccountID:
-        default: "Account ID"
 
 Parameters:
   CSPMRoleName:
@@ -50,9 +47,6 @@ Parameters:
   OrganizationUnitIDs:
     Type: String
     Description: Organization Unit IDs to deploy
-  AccountID:
-    Type: String
-    Description: The Identifier of your AWS account.
 
 Resources:
   CloudAgentlessRole:
@@ -105,8 +99,8 @@ Resources:
             Action:
               - "s3:List*"
             Resource:
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}'
-              - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
       Roles:
         - Ref: "CloudLogsRole"
   RolesStackSet:
