From 4f1ea4cef242640195e42089a5616a34efd32e4f Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Thu, 23 May 2024 08:47:31 +0200 Subject: [PATCH 1/4] add --- aws/policy/security-services.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 29d58a7..251cb2c 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -106,6 +106,7 @@ Statement: - secretsmanager:PutResourcePolicy - secretsmanager:DeleteResourcePolicy - secretsmanager:RemoveRegionsFromReplication + - secretsmanager:GetRandomPassword Resource: - 'arn:aws:iam::{{ aws_account_id }}:server-certificate/ansible-test-*' - 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*' From 1c4784aeed38e95552962cb69368a50cc31935da Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Fri, 24 May 2024 08:31:14 +0200 Subject: [PATCH 2/4] reduce two kms disable actions to wildcard Disable* --- aws/policy/security-services.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 251cb2c..c79df90 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -73,8 +73,7 @@ Statement: - kms:CreateGrant - kms:DeleteAlias - kms:Describe* - - kms:DisableKey - - kms:DisableKeyRotation + - kms:Disable* - kms:EnableKey - kms:EnableKeyRotation - kms:Get* From 2d86a64ac30ff6d2c192fe2d5184dad9162065e9 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Tue, 28 May 2024 19:33:43 +0200 Subject: [PATCH 3/4] fixed --- aws/policy/security-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index c79df90..f8955d5 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -88,6 +88,7 @@ Statement: - logs:List* - secretsmanager:Describe* - secretsmanager:List* + - secretsmanager:GetRandomPassword Resource: "*" - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees @@ -105,7 +106,6 @@ Statement: - secretsmanager:PutResourcePolicy - secretsmanager:DeleteResourcePolicy - secretsmanager:RemoveRegionsFromReplication - - secretsmanager:GetRandomPassword Resource: - 'arn:aws:iam::{{ aws_account_id }}:server-certificate/ansible-test-*' - 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*' From 659160dbdb9922175d76aa9eb90f4b53c2431146 Mon Sep 17 00:00:00 2001 From: Markus Bergholz Date: Wed, 29 May 2024 07:07:42 +0200 Subject: [PATCH 4/4] sort --- aws/policy/security-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index f8955d5..679bdb2 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -87,8 +87,8 @@ Statement: - kms:UpdateKeyDescription - logs:List* - secretsmanager:Describe* - - secretsmanager:List* - secretsmanager:GetRandomPassword + - secretsmanager:List* Resource: "*" - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees