From bb0ca4e4badc03c298535257e5cadd9b3abf1391 Mon Sep 17 00:00:00 2001 From: nightfury1204 Date: Tue, 7 Nov 2023 23:05:06 +0000 Subject: [PATCH] Restrict custom topic permission Signed-off-by: nightfury1204 --- provider/aws/formation/g1/app.json.tmpl | 41 ++++++++++++++++++- provider/aws/formation/rack.json | 40 +++++++++++++++++- .../lambda/formation/data/role-policy.json | 35 +++++++++++++++- 3 files changed, 112 insertions(+), 4 deletions(-) diff --git a/provider/aws/formation/g1/app.json.tmpl b/provider/aws/formation/g1/app.json.tmpl index 115682bb67..ff8533b922 100644 --- a/provider/aws/formation/g1/app.json.tmpl +++ b/provider/aws/formation/g1/app.json.tmpl @@ -100,7 +100,46 @@ "PolicyName": "Administrator", "PolicyDocument": { "Version": "2012-10-17", - "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:CreateRepository", + "ecr:DeleteRepository", + "ecs:UpdateService", + "ecs:DeleteService", + "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:ListTasks", + "ec2:DeleteSubnet", + "ec2:CreateSubnet", + "ec2:DeleteNatGateway", + "ec2:DescribeNatGateways", + "ec2:DeleteRoute", + "ec2:DescribeSecurityGroups", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "kms:CreateKey", + "kms:EnableKeyRotation", + "kms:DisableKey", + "kms:DisableKeyRotation", + "kms:DescribeKey", + "kms:ScheduleKeyDeletion", + "kms:EnableKey", + "s3:GetObject", + "sns:ListSubscriptions", + "sns:ListSubscriptionsByTopic", + "sns:Subscribe", + "sns:Unsubscribe", + "ssm:PutParameter", + "ssm:DeleteParameter", + "ssm:DeleteParameters", + "ssm:GetParameter", + "sqs:*" + ], + "Resource": "*" + } + ] } } ] diff --git a/provider/aws/formation/rack.json b/provider/aws/formation/rack.json index 2cba17a470..331ea3c0a6 100644 --- a/provider/aws/formation/rack.json +++ b/provider/aws/formation/rack.json @@ -1056,8 +1056,44 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { "Effect": "Allow", "Action": "*", "Resource": "*" }, - { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "*" } + { + "Effect": "Allow", + "Action": [ + "ecr:CreateRepository", + "ecr:DeleteRepository", + "ecs:UpdateService", + "ecs:DeleteService", + "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:ListTasks", + "ec2:DeleteSubnet", + "ec2:CreateSubnet", + "ec2:DeleteNatGateway", + "ec2:DescribeNatGateways", + "ec2:DeleteRoute", + "ec2:DescribeSecurityGroups", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "kms:CreateKey", + "kms:EnableKeyRotation", + "kms:DisableKey", + "kms:DisableKeyRotation", + "kms:DescribeKey", + "kms:ScheduleKeyDeletion", + "kms:EnableKey", + "s3:GetObject", + "sns:ListSubscriptions", + "sns:ListSubscriptionsByTopic", + "sns:Subscribe", + "sns:Unsubscribe", + "ssm:PutParameter", + "ssm:DeleteParameter", + "ssm:DeleteParameters", + "ssm:GetParameter", + "sqs:*" + ], + "Resource": "*" + } ] } } diff --git a/provider/aws/lambda/formation/data/role-policy.json b/provider/aws/lambda/formation/data/role-policy.json index 12bf2188f9..3cda315158 100644 --- a/provider/aws/lambda/formation/data/role-policy.json +++ b/provider/aws/lambda/formation/data/role-policy.json @@ -3,7 +3,40 @@ "Statement": [ { "Effect": "Allow", - "Action": "*", + "Action": [ + "ecr:CreateRepository", + "ecr:DeleteRepository", + "ecs:UpdateService", + "ecs:DeleteService", + "ecs:RegisterTaskDefinition", + "ecs:DeregisterTaskDefinition", + "ecs:ListTasks", + "ec2:DeleteSubnet", + "ec2:CreateSubnet", + "ec2:DeleteNatGateway", + "ec2:DescribeNatGateways", + "ec2:DeleteRoute", + "ec2:DescribeSecurityGroups", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "kms:CreateKey", + "kms:EnableKeyRotation", + "kms:DisableKey", + "kms:DisableKeyRotation", + "kms:DescribeKey", + "kms:ScheduleKeyDeletion", + "kms:EnableKey", + "s3:GetObject", + "sns:ListSubscriptions", + "sns:ListSubscriptionsByTopic", + "sns:Subscribe", + "sns:Unsubscribe", + "ssm:PutParameter", + "ssm:DeleteParameter", + "ssm:DeleteParameters", + "ssm:GetParameter", + "sqs:*" + ], "Resource": "*" } ]