Add additional action permissions for Glue and Shield Advanced checks @…

…lazize * Add extra shield action permission Allows the shield:GetSubscriptionState action * Add permission actions Make sure all files where permission actions are necessary will have the same actions
prowler-cloud · Jan 20, 2022 · ed558c8 · ed558c8
1 parent d7b3606
commit ed558c8
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 7 deletions.
diff --git a/iam/create_role_to_assume_cfn.yaml b/iam/create_role_to_assume_cfn.yaml
@@ -62,5 +62,9 @@ Resources:
                 - 'tag:GetTagKeys'
                 - 'lambda:GetFunction'
                 - 'glue:GetConnections'
+                - 'glue:GetSecurityConfiguration'
+                - 'glue:SearchTables'
                 - 's3:GetAccountPublicAccessBlock'
+                - 'shield:GetSubscriptionState'
+                - 'shield:DescribeProtection'
               Resource: '*'
diff --git a/iam/prowler-additions-policy.json b/iam/prowler-additions-policy.json
@@ -8,8 +8,9 @@
                 "ecr:Describe*",
                 "support:Describe*",
                 "tag:GetTagKeys",
-		        "lambda:GetFunction",
+                "lambda:GetFunction",
                 "glue:GetConnections",
+                "glue:GetSecurityConfiguration",
                 "glue:SearchTables",
                 "s3:GetAccountPublicAccessBlock",
                 "shield:GetSubscriptionState",

diff --git a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
@@ -184,15 +184,16 @@ Resources:
             Version: '2012-10-17'
             Statement:
               - Action:
-                  - s3:GetAccountPublicAccessBlock
-                  - glue:GetConnections
-                  - glue:SearchTables
                   - ds:ListAuthorizedApplications
                   - ec2:GetEbsEncryptionByDefault
                   - ecr:Describe*
                   - support:Describe*
                   - tag:GetTagKeys
                   - lambda:GetFunction
+                  - glue:GetConnections
+                  - glue:GetSecurityConfiguration
+                  - glue:SearchTables
+                  - s3:GetAccountPublicAccessBlock
                   - shield:GetSubscriptionState
                   - shield:DescribeProtection
                 Effect: Allow

diff --git a/util/terraform-kickstarter/main.tf b/util/terraform-kickstarter/main.tf
@@ -311,15 +311,16 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
       },
       {
         Action =  [
-                  "s3:GetAccountPublicAccessBlock",
-                  "glue:GetConnections",
-                  "glue:SearchTables",
                   "ds:ListAuthorizedApplications",
                   "ec2:GetEbsEncryptionByDefault",
                   "ecr:Describe*",
                   "support:Describe*",
                   "tag:GetTagKeys",
                   "lambda:GetFunction",
+                  "glue:GetConnections",
+                  "glue:GetSecurityConfiguration",
+                  "glue:SearchTables",
+                  "s3:GetAccountPublicAccessBlock",
                   "shield:GetSubscriptionState",
                   "shield:DescribeProtection"
                   ]