Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add missing actions to policy.json #1315

Merged
merged 5 commits into from
Jan 9, 2024
Merged

fix: add missing actions to policy.json #1315

merged 5 commits into from
Jan 9, 2024

Conversation

roblambell
Copy link
Contributor

Problem

Actions missing from the recommended komiser policy

Solution

Add required actions to the policy (using https://aws.permissions.cloud/ as IAM <> API reference)

Changes Made

  • Updated policy.json

How to Test

Run komiser with the recommended policy and an AWS environment with affected resource.

Checklist

  • Code follows the contributing guidelines
  • Changes have been thoroughly tested
  • Documentation has been updated, if necessary
  • Any dependencies have been added to the project, if necessary

github-actions[bot]
github-actions bot reviewed Jan 8, 2024
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thank you for opening your Pull Request ! 🙂 While a Tailwarden team member takes a look at your PR we would like to invite you to join our official Discord server, where you can interact directly with other contributors and Tailwarden team members. Link here: https://discord.tailwarden.com

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
@@ -14,6 +19,7 @@
"cloudwatch:ListTagsForResource",
"cloudwatch:ListDashboards",
"cloudwatch:ListMetricStreams",
"dynamodb:DescribeTable",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #1111

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
@@ -83,11 +90,12 @@
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:ListTagsForResource",
"iam:ListInstanceProfileTags",
"lambda:ListEventSourceMappings",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #1040

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
@@ -55,6 +61,7 @@
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListSAMLProviderTags",
"iam:ListUsers",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #991

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
@@ -6,6 +6,11 @@
"Effect": "Allow",
"Action": [
"apigateway:GET",
"codecommit:ListRepositories",
"codecommit:ListTagsForResource",
"codebuild:ListProjects",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #1216

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
@@ -6,6 +6,11 @@
"Effect": "Allow",
"Action": [
"apigateway:GET",
"codecommit:ListRepositories",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #1229

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
"codecommit:ListRepositories",
"codecommit:ListTagsForResource",
"codebuild:ListProjects",
"codedeploy:ListApplications",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since #1228

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
"lambda:ListFunctions",
"lambda:ListTags",
"es:ListDomainNames",
"es:DescribeDomains",
"s3:ListBucket"
Copy link
Contributor Author

@roblambell roblambell Jan 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This permission is for listing objects/contents of a bucket - AFAIK we don't need it

Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000).

https://aws.permissions.cloud/iam/s3#s3-ListBucket

roblambell
roblambell commented Jan 8, 2024
View reviewed changes
policy.json
"lambda:ListFunctions",
"lambda:ListTags",
"es:ListDomainNames",
"es:DescribeDomains",
"s3:ListBucket"
"s3:ListAllMyBuckets"
Copy link
Contributor Author

@roblambell roblambell Jan 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This permission is required for the S3.ListBuckets API method we're using

list all buckets owned by the authenticated sender of the request

https://aws.permissions.cloud/api/s3#S3_ListBuckets

@roblambell roblambell marked this pull request as ready for review January 8, 2024 21:10
@Azanul Azanul merged commit 45b8e3e into tailwarden:develop Jan 9, 2024
4 checks passed
@roblambell roblambell deleted the patch-1 branch January 9, 2024 12:40
Azanul pushed a commit that referenced this pull request Jan 9, 2024
@roblambell @Azanul
fix: add missing actions to policy.json (#1315)
ab4b991 
* feat: add missing dynamodb action to policy.json

describe table has been needed since #1111

* feat: add missing lambda action to policy.json

list event source mappings has been needed since #1040

* feat: add missing iam action to policy.json

list users has been needed since #991

* fix: correct s3 permission for list buckets api call

listbucket iam action is for the contents of a bucket

* feat: add missing code suite actions to policy.json

needed since #1216, #1229, and #1228
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@Azanul Azanul Azanul approved these changes

@AvineshTripathi AvineshTripathi AvineshTripathi approved these changes

@mlabouardy mlabouardy Awaiting requested review from mlabouardy mlabouardy is a code owner

@ShubhamPalriwala ShubhamPalriwala Awaiting requested review from ShubhamPalriwala

@greghub greghub Awaiting requested review from greghub

@Traxmaxx Traxmaxx Awaiting requested review from Traxmaxx

@jakepage91 jakepage91 Awaiting requested review from jakepage91

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@roblambell @Azanul @AvineshTripathi