Update policy.json

[professorabhay]

fix-issue(#852)

[professorabhay]

Hey @ShubhamPalriwala, You can test the policy now.
Let me know the result after you test it out.
https://github.com/professorabhay/komiser/blob/fix-issue(%23852)-IAM-POLICY/policy.json

[ShubhamPalriwala]

Hey @professorabhay, I took a quick glance and do not remember seeing a ListBuckets action in AWS? Can you confirm that please? I think it was something like ListAllMyBuckets?

And have you verified that this covers all the resources we fetch?

[professorabhay]

Hey @ShubhamPalriwala, I take a look to the original \policy.json file and didn't find any ListAllMyBuckets action.
But here it will work fine.

[professorabhay]

@ShubhamPalriwala On the official documentation https://docs.komiser.io/docs/cloud-providers/aws I found that.
These are the resources which is supported.
Are you talking about them ??
If it it then let me know I'll make new commit asap !!
Thank-you

[ShubhamPalriwala]

Hey @professorabhay, yes, the docs should mostly cover all the resources we support, additionally just take a look here https://github.com/tailwarden/komiser/tree/develop/providers/aws and see if there is anything missing in the docs that is present here!

[mlabouardy]

Thanks for the PR @professorabhay but there are a couple of permissions missing such as:
cloudfront:ListTagsForResource
As mentioned by @ShubhamPalriwala I recommend you go through the supported services here https://github.com/tailwarden/komiser/tree/develop/providers/aws and add the missing permissions to the JSON file.

[professorabhay]

Hey @mlabouardy, Thanks for review.
I am still working it. I just look deeply into it and creating policy from scratch. I'll commit changes again.

[ShubhamPalriwala]

@professorabhay, let me know if you need any help here

[professorabhay]

@ShubhamPalriwala, No need for now.
I'm just busy with my exams. So, I'll commit changes asap.

[professorabhay]

hey @ShubhamPalriwala, I make changes.
please test it and let me know if it give error.

[ShubhamPalriwala]

Hey @professorabhay, I just tried to validate it and faced the following errors:

To reproduce it,

• Login to the AWS Console
• Look for IAM
• Look for Creating Policies
• Look for a JSON button
• Now copy paste your policy and you should be able to see the 3 errors.

PS: The above does not require any AWS credits so should be doable as well easily! Let me know if you need any help with it

[mlabouardy]

Hey @professorabhay, I just tried to validate it and faced the following errors:

To reproduce it,

• Login to the AWS Console
• Look for IAM
• Look for Creating Policies
• Look for a JSON button
• Now copy paste your policy and you should be able to see the 3 errors.

PS: The above does not require any AWS credits so should be doable as well easily! Let me know if you need any help with it

Any update on this @professorabhay ?

[professorabhay]

I will make changes by the end of this week

[ShubhamPalriwala]

Hey @professorabhay can we plan this for the next release ie sometime this week?

[professorabhay]

Hai @ShubhamPalriwala, Kindly take a look

[ShubhamPalriwala]

Hey @professorabhay, apologies for the delay in review! I can still see some errors:

Was it working for you in your AWS IAM account?

[AvineshTripathi]

Hey @professorabhay I still see error in the policy

Is there anything we can help you get this PR merged?

[professorabhay]

Hey @AvineshTripathi, I'll be great that you can help me. I gave it a try while learning but it's way more difficult to solve.
Looking forward to resolve it asap under your guidance!!

[AvineshTripathi]

Here is the one I generated without error

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "s3:ListBucket",
        "s3:GetObject",
        "ecs:List*",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "dynamodb:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "2",
      "Effect": "Allow",
      "Action": [
        "lambda:List*",
        "dynamodb:List*",
        "cloudfront:List*",
        "iam:List*",
        "ecs:Describe*",
        "glacier:List*",
        "sqs:List*",
        "route53:List*",
        "sns:List*",
        "s3:Get*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "3",
      "Effect": "Allow",
      "Action": [
        "acm:List*",
        "mq:List*",
        "cloudwatch:Get*",
        "cloudtrail:LookupEvents",
        "datapipeline:List*",
        "eks:List*",
        "elasticache:Describe*",
        "es:List*",
        "logs:Describe*",
        "rds:Describe*",
        "cloudwatch:Describe*",
        "apigateway:GET",
        "cloudwatch:List*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecr:Describe*",
        "ecs:Describe*",
        "eks:Describe*",
        "elasticache:List*",
        "elasticloadbalancing:Describe*",
        "iam:List*",
        "kinesis:List*",
        "kms:List*",
        "lambda:List*",
        "rds:Describe*",
        "s3:List*",
        "servicecatalog:List*",
        "sns:List*",
        "sqs:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "4",
      "Effect": "Allow",
      "Action": [
        "glue:Get*",
        "organizations:Describe*",
        "iam:Get*",
        "kinesis:List*",
        "kms:List*",
        "kms:Describe*",
        "redshift:Describe*",
        "tag:Get*",
        "route53:List*",
        "support:Describe*",
        "swf:List*",
        "config:BatchGetResourceConfig"
      ],
      "Resource": "*"
    },
    {
      "Sid": "5",
      "Effect": "Allow",
      "Action": [
        "sns:List*",
        "lambda:List*",
        "kms:List*",
        "pricing:GetProducts",
        "ecr:Describe*",
        "rds:Describe*",
        "elasticache:List*",
        "eks:Describe*",
        "elasticloadbalancing:DescribeTags"
      ],
      "Resource": "*"
    }
  ]
}

cc @mlabouardy @ShubhamPalriwala for review

[mlabouardy]

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"s3:ListBucket",
"s3:GetObject",
"ecs:List*",
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"dynamodb:Describe*"
],
"Resource": ""
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:List",
"dynamodb:List*",
"cloudfront:List*",
"iam:List*",
"ecs:Describe*",
"glacier:List*",
"sqs:List*",
"route53:List*",
"sns:List*",
"s3:Get*"
],
"Resource": ""
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"acm:List",
"mq:List*",
"cloudwatch:Get*",
"cloudtrail:LookupEvents",
"datapipeline:List*",
"eks:List*",
"elasticache:Describe*",
"es:List*",
"logs:Describe*",
"rds:Describe*",
"cloudwatch:Describe*",
"apigateway:GET",
"cloudwatch:List*",
"dynamodb:List*",
"ec2:Describe*",
"ecr:Describe*",
"ecs:Describe*",
"eks:Describe*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"kinesis:List*",
"kms:List*",
"lambda:List*",
"rds:Describe*",
"s3:List*",
"servicecatalog:List*",
"sns:List*",
"sqs:List*"
],
"Resource": ""
},
{
"Sid": "4",
"Effect": "Allow",
"Action": [
"glue:Get",
"organizations:Describe*",
"iam:Get*",
"kinesis:List*",
"kms:List*",
"kms:Describe*",
"redshift:Describe*",
"tag:Get*",
"route53:List*",
"support:Describe*",
"swf:List*",
"config:BatchGetResourceConfig"
],
"Resource": ""
},
{
"Sid": "5",
"Effect": "Allow",
"Action": [
"sns:List",
"lambda:List*",
"kms:List*",
"pricing:GetProducts",
"ecr:Describe*",
"rds:Describe*",
"elasticache:List*",
"eks:Describe*",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
}
]
}

thanks Avinesh, I noticed that some permissions are duplicated for example:
"s3:ListBucket",
"s3:GetObject"
with:
"s3:Get*"
"s3:List*"

could you merge them? :)

[AvineshTripathi]

Any reason why we are using multiplee statement inplace of single, is there a best practice we should follow? Also Should I close the PR and create a new one with all the resources(only supported one's as currently there are many *)? @mlabouardy

[mlabouardy]

Any reason why we are using multiplee statement inplace of single, is there a best practice we should follow? Also Should I close the PR and create a new one with all the resources(only supported one's as currently there are many *)? @mlabouardy

not sure I got it :) Are you referring to "s3:Get*" and "s3:List*" operations?
yes please, lets create a new PR :)

[AvineshTripathi]

@professorabhay if it is Okay for you can I close thiis PR and create a new one to get changes fast and also I can add you as co-author if you want

[professorabhay]

Sure @AvineshTripathi !