Merge pull request #462 from lauravaesken/fix-lambda-panda-policy

Fix: Add Lambda ListTags permission
aws-samples · Feb 15, 2025 · 79a4315 · 79a4315
2 parents 5007653 + 9853781
commit 79a4315
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 1 deletion.
diff --git a/deployment/siem-on-amazon-opensearch-service-china.template b/deployment/siem-on-amazon-opensearch-service-china.template
@@ -1409,6 +1409,7 @@ Resources:
               - Action:
                   - lambda:UpdateFunctionConfiguration
                   - lambda:GetFunction
+                  - lambda:ListTags
                 Effect: Allow
                 Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
               - Action: lambda:PublishLayerVersion

diff --git a/deployment/siem-on-amazon-opensearch-service-no-alb-account.template b/deployment/siem-on-amazon-opensearch-service-no-alb-account.template
@@ -1406,6 +1406,7 @@ Resources:
               - Action:
                   - lambda:UpdateFunctionConfiguration
                   - lambda:GetFunction
+                  - lambda:ListTags
                 Effect: Allow
                 Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
               - Action: lambda:PublishLayerVersion

diff --git a/deployment/siem-on-amazon-opensearch-service-usgov.template b/deployment/siem-on-amazon-opensearch-service-usgov.template
@@ -1409,6 +1409,7 @@ Resources:
               - Action:
                   - lambda:UpdateFunctionConfiguration
                   - lambda:GetFunction
+                  - lambda:ListTags
                 Effect: Allow
                 Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
               - Action: lambda:PublishLayerVersion

diff --git a/deployment/siem-on-amazon-opensearch-service.template b/deployment/siem-on-amazon-opensearch-service.template
@@ -1409,6 +1409,7 @@ Resources:
               - Action:
                   - lambda:UpdateFunctionConfiguration
                   - lambda:GetFunction
+                  - lambda:ListTags
                 Effect: Allow
                 Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
               - Action: lambda:PublishLayerVersion

diff --git a/source/cdk/mysiem/helper_lambda_functions.py b/source/cdk/mysiem/helper_lambda_functions.py
@@ -63,7 +63,8 @@ def create_lambda_add_pandas_layer(self):
                     statements=[
                         aws_iam.PolicyStatement(
                             actions=['lambda:UpdateFunctionConfiguration',
-                                     'lambda:GetFunction'],
+                                     'lambda:GetFunction',
+                                     'lambda:ListTags'],
                             resources=[self.lambda_es_loader.function_arn]),
                         aws_iam.PolicyStatement(
                             actions=['lambda:PublishLayerVersion'],