From c2a292604cf6d0cf1be01a28ba5fac9435cfda7b Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Mon, 27 Jan 2025 16:49:29 +0000 Subject: [PATCH] log permissions --- src/aws.go | 5 + src/coverage/aws.md | 7 +- src/files.go | 15 +++ .../aws_cloudwatch_log_anomaly_detector.json | 16 +++ .../logs/aws_cloudwatch_log_delivery.json | 16 +++ ...s_cloudwatch_log_delivery_destination.json | 16 +++ ...watch_log_delivery_destination_policy.json | 15 +++ .../aws_cloudwatch_log_delivery_source.json | 15 +++ .../logs/aws_cloudwatch_log_group.json | 3 +- .../logs/aws_cloudwatch_log_index_policy.json | 15 +++ .../aws_cloudwatch_log_anomaly_detector.tf | 12 ++ .../aws/backup/aws_cloudwatch_log_delivery.tf | 8 ++ ...aws_cloudwatch_log_delivery_destination.tf | 8 ++ ...udwatch_log_delivery_destination_policy.tf | 23 ++++ .../aws_cloudwatch_log_delivery_source.tf | 28 +++++ .../backup/aws_cloudwatch_log_index_policy.tf | 6 + terraform/aws/role/aws_iam_policy.basic.tf | 106 ++++++------------ 17 files changed, 233 insertions(+), 81 deletions(-) create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_anomaly_detector.json create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json create mode 100644 src/mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json create mode 100644 terraform/aws/backup/aws_cloudwatch_log_anomaly_detector.tf create mode 100644 terraform/aws/backup/aws_cloudwatch_log_delivery.tf create mode 100644 terraform/aws/backup/aws_cloudwatch_log_delivery_destination.tf create mode 100644 terraform/aws/backup/aws_cloudwatch_log_delivery_destination_policy.tf create mode 100644 terraform/aws/backup/aws_cloudwatch_log_delivery_source.tf create mode 100644 terraform/aws/backup/aws_cloudwatch_log_index_policy.tf diff --git a/src/aws.go b/src/aws.go index de4fae7c..7eaf996e 100644 --- a/src/aws.go +++ b/src/aws.go @@ -1144,6 +1144,11 @@ var tFLookup = map[string]interface{}{ //nolint:gochecknoglobals "aws_lakeformation_data_lake_settings": awsLakeformationDataLakeSettings, "aws_lakeformation_permissions": awsLakeformationPermissions, "aws_lakeformation_resource": awsLakeformationResource, + "aws_cloudwatch_log_delivery": awsCloudwatchLogDelivery, + "aws_cloudwatch_log_delivery_destination": awsCloudwatchLogDeliveryDestination, + "aws_cloudwatch_log_delivery_destination_policy": awsCloudwatchLogDeliveryDestinationPolicy, + "aws_cloudwatch_log_delivery_source": awsCloudwatchLogDeliverySource, + "aws_cloudwatch_log_index_policy": awsCloudwatchLogIndexPolicy, } // GetAWSPermissions for AWS resources. diff --git a/src/coverage/aws.md b/src/coverage/aws.md index 84f2bc62..2dcd659e 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -1,6 +1,6 @@ # todo aws -Resource percentage coverage 76.43 +Resource percentage coverage 76.77 Datasource percentage coverage 100.00 ./resource.ps1 aws_amplify_backend_environment @@ -23,11 +23,6 @@ Datasource percentage coverage 100.00 ./resource.ps1 aws_cloudhsm_v2_hsm ./resource.ps1 aws_cloudtrail_organization_delegated_admin_account ./resource.ps1 aws_cloudwatch_log_anomaly_detector -./resource.ps1 aws_cloudwatch_log_delivery -./resource.ps1 aws_cloudwatch_log_delivery_destination -./resource.ps1 aws_cloudwatch_log_delivery_destination_policy -./resource.ps1 aws_cloudwatch_log_delivery_source -./resource.ps1 aws_cloudwatch_log_index_policy ./resource.ps1 aws_codeconnections_host ./resource.ps1 aws_cognito_managed_user_pool_client ./resource.ps1 aws_comprehend_entity_recognizer diff --git a/src/files.go b/src/files.go index 83ad65c2..df2fe61d 100644 --- a/src/files.go +++ b/src/files.go @@ -3222,3 +3222,18 @@ var awsLakeformationPermissions []byte //go:embed mapping/aws/resource/lakeformation/aws_lakeformation_resource.json var awsLakeformationResource []byte + +//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json +var awsCloudwatchLogDelivery []byte + +//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json +var awsCloudwatchLogDeliveryDestination []byte + +//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json +var awsCloudwatchLogDeliveryDestinationPolicy []byte + +//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json +var awsCloudwatchLogDeliverySource []byte + +//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json +var awsCloudwatchLogIndexPolicy []byte diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_anomaly_detector.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_anomaly_detector.json new file mode 100644 index 00000000..1391d947 --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_anomaly_detector.json @@ -0,0 +1,16 @@ +[ + { + "apply": [ + "logs:CreateLogAnomalyDetector", + "logs:GetLogAnomalyDetector", + "logs:DeleteLogAnomalyDetector", + "logs:UpdateLogAnomalyDetector" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json new file mode 100644 index 00000000..ec0d2e1c --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json @@ -0,0 +1,16 @@ +[ + { + "apply": [ + "logs:GetLogDelivery", + "logs:CreateLogDelivery", + "logs:DeleteLogDelivery", + "logs:UpdateLogDelivery" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json new file mode 100644 index 00000000..5577e602 --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json @@ -0,0 +1,16 @@ +[ + { + "apply": [ + "logs:PutDeliveryDestination", + "logs:GetDeliveryDestination", + "logs:DescribeDeliveryDestinations", + "logs:DeleteDeliveryDestination" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json new file mode 100644 index 00000000..b21fccd6 --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "logs:PutDeliveryDestinationPolicy", + "logs:GetDeliveryDestinationPolicy", + "logs:DeleteDeliveryDestinationPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json new file mode 100644 index 00000000..03f469fa --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "logs:GetDeliverySource", + "logs:PutDeliverySource", + "logs:DeleteDeliverySource" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_group.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_group.json index a870eed2..5f68f251 100644 --- a/src/mapping/aws/resource/logs/aws_cloudwatch_log_group.json +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_group.json @@ -4,7 +4,8 @@ "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", - "logs:DeleteLogGroup" + "logs:DeleteLogGroup", + "logs:ListTagsForResource" ], "attributes": { "kms_key_id": [ diff --git a/src/mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json b/src/mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json new file mode 100644 index 00000000..64408e15 --- /dev/null +++ b/src/mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "logs:PutIndexPolicy", + "logs:DeleteIndexPolicy", + "logs:DescribeIndexPolicies" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/terraform/aws/backup/aws_cloudwatch_log_anomaly_detector.tf b/terraform/aws/backup/aws_cloudwatch_log_anomaly_detector.tf new file mode 100644 index 00000000..ec25ee37 --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_anomaly_detector.tf @@ -0,0 +1,12 @@ +resource "aws_cloudwatch_log_group" "test" { + count = 2 + name = "testing-${count.index}" +} + +# resource "aws_cloudwatch_log_anomaly_detector" "test" { +# detector_name = "testing" +# log_group_arn_list = [aws_cloudwatch_log_group.test[0].arn] +# anomaly_visibility_time = 7 +# evaluation_frequency = "TEN_MIN" +# enabled = "false" +# } diff --git a/terraform/aws/backup/aws_cloudwatch_log_delivery.tf b/terraform/aws/backup/aws_cloudwatch_log_delivery.tf new file mode 100644 index 00000000..33162eb7 --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_delivery.tf @@ -0,0 +1,8 @@ +resource "aws_cloudwatch_log_delivery" "example" { + delivery_source_name = aws_cloudwatch_log_delivery_source.example.name + delivery_destination_arn = aws_cloudwatch_log_delivery_destination.example.arn + + field_delimiter = "," + + record_fields = ["event_timestamp", "event"] +} diff --git a/terraform/aws/backup/aws_cloudwatch_log_delivery_destination.tf b/terraform/aws/backup/aws_cloudwatch_log_delivery_destination.tf new file mode 100644 index 00000000..6fff8b37 --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_delivery_destination.tf @@ -0,0 +1,8 @@ +resource "aws_cloudwatch_log_delivery_destination" "example" { + name = "example" + + delivery_destination_configuration { + destination_resource_arn = aws_cloudwatch_log_group.test[0].arn + } + +} diff --git a/terraform/aws/backup/aws_cloudwatch_log_delivery_destination_policy.tf b/terraform/aws/backup/aws_cloudwatch_log_delivery_destination_policy.tf new file mode 100644 index 00000000..5317e1cb --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_delivery_destination_policy.tf @@ -0,0 +1,23 @@ +resource "aws_cloudwatch_log_delivery_destination_policy" "example" { + delivery_destination_name = aws_cloudwatch_log_delivery_destination.example.name + delivery_destination_policy = data.aws_iam_policy_document.example.json +} + + +data "aws_iam_policy_document" "example" { + statement { + sid = "1" + effect = "Allow" + actions = [ + "logs:CreateDelivery", + ] + + resources = [ + "*", + ] + principals { + identifiers = ["AWS"] + type = "arn:aws:iam::680235478471:root" + } + } +} diff --git a/terraform/aws/backup/aws_cloudwatch_log_delivery_source.tf b/terraform/aws/backup/aws_cloudwatch_log_delivery_source.tf new file mode 100644 index 00000000..5eed1cc1 --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_delivery_source.tf @@ -0,0 +1,28 @@ + +resource "aws_cloudwatch_log_delivery_source" "example" { + name = "example" + log_type = "APPLICATION_LOGS" + resource_arn = aws_instance.pike.arn +} + + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "pike" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" +} diff --git a/terraform/aws/backup/aws_cloudwatch_log_index_policy.tf b/terraform/aws/backup/aws_cloudwatch_log_index_policy.tf new file mode 100644 index 00000000..0639f249 --- /dev/null +++ b/terraform/aws/backup/aws_cloudwatch_log_index_policy.tf @@ -0,0 +1,6 @@ +resource "aws_cloudwatch_log_index_policy" "pike" { + log_group_name = aws_cloudwatch_log_group.test[0].name + policy_document = jsonencode({ + Fields = ["eventName"] + }) +} diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index 94e916b6..c1d46bc6 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -31,85 +31,43 @@ resource "aws_iam_policy" "basic" { "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - "organizations:CreateOrganization", - "organizations:DeleteOrganization", - "organizations:DescribeOrganization", - "organizations:ListRoots", + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:PutObject", - # aws_lakeformation_resource - "lakeformation:RegisterResource", - "iam:PutRolePolicy", - "lakeformation:DescribeResource", - "lakeformation:DeregisterResource", - "iam:GetRolePolicy", - "lakeformation:UpdateResource", - - # aws_lakeformation_data_lake_settings - "lakeformation:PutDataLakeSettings", - "lakeformation:GetDataLakeSettings", - - # aws_glue_dev_endpoint - "glue:CreateDevEndpoint", - "iam:PassRole", - "glue:GetDevEndpoint", - "glue:DeleteDevEndpoint", - "glue:UpdateDevEndpoint", - - # aws_glue_data_quality_ruleset - "glue:CreateDataQualityRuleset", - "glue:GetDataQualityRuleset", - "glue:GetTags", - "glie:DeleteTags", - "glue:DeleteDataQualityRuleset", - "glue:UpdateDataQualityRuleset", - - - # aws_ec2_traffic_mirror_target - "ec2:CreateTrafficMirrorTarget", - "ec2:DescribeTrafficMirrorTargets", - "ec2:DeleteTrafficMirrorTarget", - - # aws_ec2_traffic_mirror_filter - "ec2:CreateTrafficMirrorFilter", - "ec2:ModifyTrafficMirrorFilterNetworkServices", - "ec2:DescribeTrafficMirrorFilters", - "ec2:DeleteTrafficMirrorFilter", - - # aws_config_aggregate_authorization - "config:PutAggregationAuthorization", - "config:DescribeAggregationAuthorizations", - "config:DeleteAggregationAuthorization", - - # aws_config_organization_managed_rule - "config:DescribeOrganizationConfigRules", - "config:DeleteOrganizationConfigRule", - "config:PutOrganizationConfigRule", - - # aws_config_remediation_configuration - "config:DescribeRemediationConfigurations", - "config:DeleteRemediationConfiguration", - "config:PutRemediationConfigurations", - - # aws_ec2_traffic_mirror_session.tf - "ec2:CreateTrafficMirrorSession", - "ec2:DeleteTrafficMirrorSession", - "ec2:ModifyTrafficMirrorSession", - "ec2:DescribeTrafficMirrorSessions", - - + # aws_cloudwatch_log_delivery_source + "logs:PutDeliverySource", + "logs:DeleteDeliverySource", + + # aws_cloudwatch_log_group + "logs:ListTagsForResource", + + # aws_cloudwatch_log_index_policy + "logs:PutIndexPolicy", + "logs:DeleteIndexPolicy", + "logs:DescribeIndexPolicies", + + # aws_cloudwatch_log_delivery_destination + "logs:PutDeliveryDestination", + "logs:GetDeliveryDestination", + "logs:DescribeDeliveryDestinations", + "logs:DeleteDeliveryDestination", + + # aws_cloudwatch_log_anomaly_detector + "logs:CreateLogAnomalyDetector", + "logs:GetLogAnomalyDetector", + "logs:DeleteLogAnomalyDetector", + "logs:UpdateLogAnomalyDetector", + + # aws_cloudwatch_log_delivery_destination_policy + "logs:PutDeliveryDestinationPolicy", + "logs:GetDeliveryDestinationPolicy", + "logs:DeleteDeliveryDestinationPolicy" ], "Resource" : [ "*"