From f87b1b26b69621516dd754068e51f4994e153c60 Mon Sep 17 00:00:00 2001 From: jingjingzhang-lw Date: Wed, 4 Dec 2024 11:26:35 -0800 Subject: [PATCH 1/2] addGluePermission (#112) --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index df87f6b..fb9af4b 100644 --- a/main.tf +++ b/main.tf @@ -129,6 +129,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" { sid = "GLUE" actions = ["glue:ListWorkflows", "glue:BatchGetWorkflows", + "glue:GetWorkflows", "glue:GetTags"] resources = ["*"] } From fb67991f6a20644bbde618e75347d4cfb3d4558b Mon Sep 17 00:00:00 2001 From: ljohnny-git Date: Wed, 4 Dec 2024 15:29:55 -0800 Subject: [PATCH 2/2] feat: add permission for cognito-idp service (#114) Signed-off-by: ljohnny --- README.md | 6 +++++- main.tf | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 342eadd..d10b05c 100644 --- a/README.md +++ b/README.md @@ -163,4 +163,8 @@ The audit policy is comprised of the following permissions: | | backup:DescribeProtectedResource | | | | backup:ListRecoveryPointsByResource | | | | backup:ListReportPlans | | -| | backup:ListRestoreJobs | | \ No newline at end of file +| | backup:ListRestoreJobs | | +| COGNITO-IDP | cognito-idp:GetSigningCertificate | | +| | cognito-idp:GetCSVHeader | | +| | cognito-idp:GetUserPoolMfaConfig | | +| | cognito-idp:GetUICustomization | | diff --git a/main.tf b/main.tf index fb9af4b..6267f8b 100644 --- a/main.tf +++ b/main.tf @@ -211,6 +211,16 @@ data "aws_iam_policy_document" "lacework_audit_policy" { ] resources = ["*"] } + + statement { + sid = "COGNITOIDP" + actions = ["cognito-idp:GetSigningCertificate", + "cognito-idp:GetCSVHeader", + "cognito-idp:GetUserPoolMfaConfig", + "cognito-idp:GetUICustomization", + ] + resources = ["*"] + } } resource "aws_iam_policy" "lacework_audit_policy" {