Restrict custom topic permission

Signed-off-by: nightfury1204 <[email protected]>
convox · Nov 7, 2023 · bb0ca4e · bb0ca4e
1 parent 23a3e9b
commit bb0ca4e
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 4 deletions.
diff --git a/provider/aws/formation/g1/app.json.tmpl b/provider/aws/formation/g1/app.json.tmpl
@@ -100,7 +100,46 @@
             "PolicyName": "Administrator",
             "PolicyDocument": {
               "Version": "2012-10-17",
-              "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ]
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "ecr:CreateRepository",
+                    "ecr:DeleteRepository",
+                    "ecs:UpdateService",
+                    "ecs:DeleteService",
+                    "ecs:RegisterTaskDefinition",
+                    "ecs:DeregisterTaskDefinition",
+                    "ecs:ListTasks",
+                    "ec2:DeleteSubnet",
+                    "ec2:CreateSubnet",
+                    "ec2:DeleteNatGateway",
+                    "ec2:DescribeNatGateways",
+                    "ec2:DeleteRoute",
+                    "ec2:DescribeSecurityGroups",
+                    "ec2:AuthorizeSecurityGroupIngress",
+                    "ec2:RevokeSecurityGroupIngress",
+                    "kms:CreateKey",
+                    "kms:EnableKeyRotation",
+                    "kms:DisableKey",
+                    "kms:DisableKeyRotation",
+                    "kms:DescribeKey",
+                    "kms:ScheduleKeyDeletion",
+                    "kms:EnableKey",
+                    "s3:GetObject",
+                    "sns:ListSubscriptions",
+                    "sns:ListSubscriptionsByTopic",
+                    "sns:Subscribe",
+                    "sns:Unsubscribe",
+                    "ssm:PutParameter",
+                    "ssm:DeleteParameter",
+                    "ssm:DeleteParameters",
+                    "ssm:GetParameter",
+                    "sqs:*"
+                  ],
+                  "Resource": "*"
+                }
+              ]
             }
           }
         ]

diff --git a/provider/aws/formation/rack.json b/provider/aws/formation/rack.json
@@ -1056,8 +1056,44 @@
             "PolicyDocument": {
               "Version": "2012-10-17",
               "Statement": [
-                { "Effect": "Allow", "Action": "*", "Resource": "*" },
-                { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "*" }
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "ecr:CreateRepository",
+                    "ecr:DeleteRepository",
+                    "ecs:UpdateService",
+                    "ecs:DeleteService",
+                    "ecs:RegisterTaskDefinition",
+                    "ecs:DeregisterTaskDefinition",
+                    "ecs:ListTasks",
+                    "ec2:DeleteSubnet",
+                    "ec2:CreateSubnet",
+                    "ec2:DeleteNatGateway",
+                    "ec2:DescribeNatGateways",
+                    "ec2:DeleteRoute",
+                    "ec2:DescribeSecurityGroups",
+                    "ec2:AuthorizeSecurityGroupIngress",
+                    "ec2:RevokeSecurityGroupIngress",
+                    "kms:CreateKey",
+                    "kms:EnableKeyRotation",
+                    "kms:DisableKey",
+                    "kms:DisableKeyRotation",
+                    "kms:DescribeKey",
+                    "kms:ScheduleKeyDeletion",
+                    "kms:EnableKey",
+                    "s3:GetObject",
+                    "sns:ListSubscriptions",
+                    "sns:ListSubscriptionsByTopic",
+                    "sns:Subscribe",
+                    "sns:Unsubscribe",
+                    "ssm:PutParameter",
+                    "ssm:DeleteParameter",
+                    "ssm:DeleteParameters",
+                    "ssm:GetParameter",
+                    "sqs:*"
+                  ],
+                  "Resource": "*"
+                }
               ]
             }
           }

diff --git a/provider/aws/lambda/formation/data/role-policy.json b/provider/aws/lambda/formation/data/role-policy.json
@@ -3,7 +3,40 @@
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": "*",
+      "Action": [
+				"ecr:CreateRepository",
+				"ecr:DeleteRepository",
+				"ecs:UpdateService",
+				"ecs:DeleteService",
+				"ecs:RegisterTaskDefinition",
+				"ecs:DeregisterTaskDefinition",
+				"ecs:ListTasks",
+				"ec2:DeleteSubnet",
+				"ec2:CreateSubnet",
+				"ec2:DeleteNatGateway",
+				"ec2:DescribeNatGateways",
+				"ec2:DeleteRoute",
+				"ec2:DescribeSecurityGroups",
+				"ec2:AuthorizeSecurityGroupIngress",
+				"ec2:RevokeSecurityGroupIngress",
+				"kms:CreateKey",
+				"kms:EnableKeyRotation",
+				"kms:DisableKey",
+				"kms:DisableKeyRotation",
+				"kms:DescribeKey",
+				"kms:ScheduleKeyDeletion",
+				"kms:EnableKey",
+				"s3:GetObject",
+				"sns:ListSubscriptions",
+				"sns:ListSubscriptionsByTopic",
+				"sns:Subscribe",
+				"sns:Unsubscribe",
+				"ssm:PutParameter",
+				"ssm:DeleteParameter",
+				"ssm:DeleteParameters",
+				"ssm:GetParameter",
+				"sqs:*"
+      ],
       "Resource": "*"
     }
   ]