POL-1337 Fix AWS Untagged Resources README and Policy Permission CFT (#…

…2609) * update * fix * update * fix * update * fix * update * update * update
flexera-public · Sep 5, 2024 · a6948c8 · a6948c8
1 parent 798eaad
commit a6948c8
Show file tree

Hide file tree

Showing 6 changed files with 1,112 additions and 40 deletions.
diff --git a/.spellignore b/.spellignore
@@ -564,3 +564,4 @@ SCP
 USD
 EUR
 CCO
+untagged
diff --git a/compliance/aws/untagged_resources/README.md b/compliance/aws/untagged_resources/README.md
@@ -48,12 +48,9 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `config:TagResource`
   - `ec2:DescribeRegions`
   - `tag:GetResources`
-  - `ec2:CreateTags`*
   - `tag:TagResources`*
-  - `rds:AddTagsToResources`*
 
   \* Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions.
 
@@ -67,12 +64,9 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "config:TagResource",
                   "ec2:DescribeRegions",
                   "tag:GetResources",
-                  "ec2:CreateTags",
-                  "tag:TagResources",
-                  "rds:AddTagsToResource"
+                  "tag:TagResources"
               ],
               "Resource": "*"
           }

diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json
@@ -605,11 +605,6 @@
               "read_only": true,
               "required": true
             },
-            {
-              "name": "config:TagResource",
-              "read_only": true,
-              "required": true
-            },
             {
               "name": "ec2:DescribeRegions",
               "read_only": true,
@@ -620,23 +615,11 @@
               "read_only": true,
               "required": true
             },
-            {
-              "name": "ec2:CreateTags",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions."
-            },
             {
               "name": "tag:TagResources",
               "read_only": false,
               "required": false,
               "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "rds:AddTagsToResources",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions."
             }
           ]
         },

diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml
@@ -349,30 +349,17 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: config:TagResource
-      read_only: true
-      required: true
     - name: ec2:DescribeRegions
       read_only: true
       required: true
     - name: tag:GetResources
       read_only: true
       required: true
-    - name: ec2:CreateTags
-      read_only: false
-      required: false
-      description: Only required for taking action (adding tags); the policy will
-        still function in a read-only capacity without these permissions.
     - name: tag:TagResources
       read_only: false
       required: false
       description: Only required for taking action (adding tags); the policy will
         still function in a read-only capacity without these permissions.
-    - name: rds:AddTagsToResources
-      read_only: false
-      required: false
-      description: Only required for taking action (adding tags); the policy will
-        still function in a read-only capacity without these permissions.
   - :name: flexera
     :permissions:
     - name: billing_center_viewer

diff --git a/tools/cloudformation-template/FlexeraAutomationPolicies.template b/tools/cloudformation-template/FlexeraAutomationPolicies.template
@@ -534,13 +534,10 @@ Mappings:
     AWSUntaggedResources:
       read:
         - "sts:GetCallerIdentity"
-        - "config:TagResource"
         - "ec2:DescribeRegions"
         - "tag:GetResources"
       action:
-        - "ec2:CreateTags"
         - "tag:TagResources"
-        - "rds:AddTagsToResources"
     # End for each policy template
-Original file line number
+Diff line change
@@ Expand Up / @@ -564,3 +564,4 @@ SCP @@
     USD
     EUR
     CCO
+    untagged