From aef6bd3b519fd1204b6b5d4a39025c552010178b Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Mon, 21 Apr 2025 15:58:42 +0200 Subject: [PATCH 1/6] add bedrock perm --- templates_cspm/CloudAgentlessRole.yaml | 11 ++++++++++- templates_cspm/OrgCloudAgentlessRole.yaml | 18 ++++++++++++++++++ templates_cspm_cloudlogs/FullInstall.yaml | 9 +++++++++ templates_cspm_cloudlogs/OrgFullInstall.yaml | 18 ++++++++++++++++++ templates_cspm_eventbridge/FullInstall.yaml | 9 +++++++++ templates_cspm_eventbridge/OrgFullInstall.yaml | 18 ++++++++++++++++++ 6 files changed, 82 insertions(+), 1 deletion(-) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 9432714..a4583df 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -73,7 +73,16 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" + Outputs: RoleARN: Description: ARN of the role created diff --git a/templates_cspm/OrgCloudAgentlessRole.yaml b/templates_cspm/OrgCloudAgentlessRole.yaml index edf6da8..3379e4d 100644 --- a/templates_cspm/OrgCloudAgentlessRole.yaml +++ b/templates_cspm/OrgCloudAgentlessRole.yaml @@ -75,6 +75,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" RoleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -154,3 +163,12 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml index 71d6545..ec20ed7 100644 --- a/templates_cspm_cloudlogs/FullInstall.yaml +++ b/templates_cspm_cloudlogs/FullInstall.yaml @@ -86,6 +86,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml index aad14db..f2bbcff 100644 --- a/templates_cspm_cloudlogs/OrgFullInstall.yaml +++ b/templates_cspm_cloudlogs/OrgFullInstall.yaml @@ -91,6 +91,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: @@ -208,3 +217,12 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index 4bd43fb..9bb67b8 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -98,6 +98,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 8e8d222..7af541b 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -142,6 +142,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -263,6 +272,15 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListCustomModels" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: From 6b11d81abb2368830dbc6c07281ace8379a2c4ce Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Mon, 21 Apr 2025 16:23:40 +0200 Subject: [PATCH 2/6] delete ListCustomModels --- templates_cspm/CloudAgentlessRole.yaml | 3 --- templates_cspm/OrgCloudAgentlessRole.yaml | 6 ------ templates_cspm_cloudlogs/FullInstall.yaml | 3 --- templates_cspm_cloudlogs/OrgFullInstall.yaml | 6 ------ templates_cspm_eventbridge/FullInstall.yaml | 3 --- templates_cspm_eventbridge/OrgFullInstall.yaml | 6 ------ 6 files changed, 27 deletions(-) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index a4583df..31f8fdd 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -76,9 +76,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" diff --git a/templates_cspm/OrgCloudAgentlessRole.yaml b/templates_cspm/OrgCloudAgentlessRole.yaml index 3379e4d..bf531fd 100644 --- a/templates_cspm/OrgCloudAgentlessRole.yaml +++ b/templates_cspm/OrgCloudAgentlessRole.yaml @@ -78,9 +78,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" @@ -166,9 +163,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml index ec20ed7..d98c4bc 100644 --- a/templates_cspm_cloudlogs/FullInstall.yaml +++ b/templates_cspm_cloudlogs/FullInstall.yaml @@ -89,9 +89,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml index f2bbcff..018329c 100644 --- a/templates_cspm_cloudlogs/OrgFullInstall.yaml +++ b/templates_cspm_cloudlogs/OrgFullInstall.yaml @@ -94,9 +94,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" @@ -220,9 +217,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index 9bb67b8..6692eca 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -101,9 +101,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 7af541b..fe1604c 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -145,9 +145,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" @@ -275,9 +272,6 @@ Resources: - Effect: "Allow" Action: "bedrock:ListAgents" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListCustomModels" - Resource: "*" - Effect: "Allow" Action: "bedrock:ListKnowledgeBases" Resource: "*" From 4be2f384075fafdc71895436716d20de0008f244 Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Fri, 25 Apr 2025 14:15:25 +0200 Subject: [PATCH 3/6] Using new templates --- modules/foundational.cft.yaml | 24 +++++++++++++++++++ templates_cspm/CloudAgentlessRole.yaml | 6 ----- templates_cspm/OrgCloudAgentlessRole.yaml | 12 ---------- templates_cspm_cloudlogs/FullInstall.yaml | 6 ----- templates_cspm_cloudlogs/OrgFullInstall.yaml | 12 ---------- templates_cspm_eventbridge/FullInstall.yaml | 6 ----- .../OrgFullInstall.yaml | 12 ---------- 7 files changed, 24 insertions(+), 54 deletions(-) diff --git a/modules/foundational.cft.yaml b/modules/foundational.cft.yaml index 4035dee..206ef44 100644 --- a/modules/foundational.cft.yaml +++ b/modules/foundational.cft.yaml @@ -176,6 +176,18 @@ Resources: - Effect: Allow Action: account:GetContactInformation Resource: '*' + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:GetAgent" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:GetKnowledgeBase" + Resource: "*" OnboardingRole: Type: AWS::IAM::Role Properties: @@ -329,6 +341,18 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListAgents" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:GetAgent" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:ListKnowledgeBases" + Resource: "*" + - Effect: "Allow" + Action: "bedrock:GetKnowledgeBase" + Resource: "*" OnboardingRole: Type: AWS::IAM::Role Properties: diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 31f8fdd..2423ed5 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -73,12 +73,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" Outputs: RoleARN: diff --git a/templates_cspm/OrgCloudAgentlessRole.yaml b/templates_cspm/OrgCloudAgentlessRole.yaml index 6b9e7da..a149982 100644 --- a/templates_cspm/OrgCloudAgentlessRole.yaml +++ b/templates_cspm/OrgCloudAgentlessRole.yaml @@ -75,12 +75,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" RoleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -163,9 +157,3 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml index d98c4bc..71d6545 100644 --- a/templates_cspm_cloudlogs/FullInstall.yaml +++ b/templates_cspm_cloudlogs/FullInstall.yaml @@ -86,12 +86,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml index 7b10d36..b915421 100644 --- a/templates_cspm_cloudlogs/OrgFullInstall.yaml +++ b/templates_cspm_cloudlogs/OrgFullInstall.yaml @@ -91,12 +91,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" CloudLogsRole: Type: "AWS::IAM::Role" Properties: @@ -219,9 +213,3 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index 8fb463b..f8f0c0e 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -122,12 +122,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 38069d3..bf29b4d 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -169,12 +169,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -300,12 +294,6 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListAgents" - Resource: "*" - - Effect: "Allow" - Action: "bedrock:ListKnowledgeBases" - Resource: "*" EventBridgeRole: Type: AWS::IAM::Role Properties: From a225b4e31fb2464a16d0e7d9800734cd4efccc63 Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Fri, 25 Apr 2025 14:16:11 +0200 Subject: [PATCH 4/6] delete extra end line --- templates_cspm/CloudAgentlessRole.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 2423ed5..38947d0 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -72,8 +72,7 @@ Resources: Resource: "*" - Effect: "Allow" Action: "account:GetContactInformation" - Resource: "*" - + Resource: "*" Outputs: RoleARN: Description: ARN of the role created From 9745954519af3414a7d5b42c5cba7a1597fec1d2 Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Fri, 25 Apr 2025 14:17:20 +0200 Subject: [PATCH 5/6] update --- templates_cspm/CloudAgentlessRole.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 38947d0..2423ed5 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -72,7 +72,8 @@ Resources: Resource: "*" - Effect: "Allow" Action: "account:GetContactInformation" - Resource: "*" + Resource: "*" + Outputs: RoleARN: Description: ARN of the role created From 7516011bb7ed5a554389775b431a43c9409e745e Mon Sep 17 00:00:00 2001 From: ismael-penacho-sysdig Date: Fri, 25 Apr 2025 14:17:58 +0200 Subject: [PATCH 6/6] delete extra tab --- templates_cspm/CloudAgentlessRole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates_cspm/CloudAgentlessRole.yaml b/templates_cspm/CloudAgentlessRole.yaml index 2423ed5..9432714 100644 --- a/templates_cspm/CloudAgentlessRole.yaml +++ b/templates_cspm/CloudAgentlessRole.yaml @@ -73,7 +73,7 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" - + Outputs: RoleARN: Description: ARN of the role created