diff --git a/modules/dome9/maint.tf b/modules/dome9/maint.tf index 634f44f..5815184 100644 --- a/modules/dome9/maint.tf +++ b/modules/dome9/maint.tf @@ -143,15 +143,39 @@ resource "aws_iam_policy" "readonly-policy" { { "Sid": "CloudGuardReadOnly", "Action": [ + "appfabric:ListAppBundles", + "appfabric:GetAppBundle", + "appfabric:ListTagsForResource", + "lightsail:GetRelationalDatabases", + "lightsail:GetRelationalDatabaseParameters", + "lightsail:GetLoadBalancerTlsCertificates", + "lightsail:GetDomains", + "lightsail:GetDistributions", + "batch:DescribeJobQueues", + "kinesisanalytics:ListTagsForResource", + "ram:GetResourceShares", + "appflow:ListConnectors", + "airflow:GetEnvironment", "account:GetAlternateContact", "apigateway:GET", "athena:GetQueryExecution", "athena:GetWorkGroup", "backup:ListBackupVaults", "backup:ListTags", + "cassandra:Select", "cognito-identity:DescribeIdentityPool", + "codeartifact:ListDomains", + "codeartifact:DescribeDomain", + "codeartifact:GetDomainPermissionsPolicy", + "codeartifact:ListTagsForResource", + "codeartifact:DescribeRepository", + "codebuild:GetResourcePolicy", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeRiskConfiguration", + "compute-optimizer:GetRecommendationSummaries", + "macie2:DescribeBuckets", + "macie2:GetMacieSession", + "macie2:GetFindingStatistics", "dynamodb:ListTagsOfResource", "ec2:SearchTransitGatewayRoutes", "elasticfilesystem:Describe*", @@ -159,13 +183,23 @@ resource "aws_iam_policy" "readonly-policy" { "es:ListTags", "eks:DescribeNodegroup", "eks:ListNodegroups", - "eks:ListFargateProfiles", - "eks:DescribeFargateProfile", + "glacier:ListTagsForVault", "glue:GetConnections", "glue:GetSecurityConfigurations", + "glue:GetMLTransforms", + "glue:GetCrawlers", + "glue:GetDevEndpoints", + "glue:GetJobs", + "glue:GetDataCatalogEncryptionSettings", + "healthlake:ListFHIRDatastores", + "healthlake:ListTagsForResource", "inspector2:ListFindings", "inspector2:BatchGetAccountStatus", + "inspector2:ListFindingAggregations", + "inspector2:ListCoverage", "kafka:ListClusters", + "kendra:ListTagsForResource", + "devops-guru:DescribeServiceIntegration", "kinesis:List*", "kinesis:Describe*", "kinesisvideo:Describe*", @@ -173,7 +207,14 @@ resource "aws_iam_policy" "readonly-policy" { "logs:Get*", "logs:FilterLogEvents", "logs:ListLogDeliveries", - "macie2:DescribeBuckets", + "codebuild:ListBuilds", + "codebuild:BatchGetBuilds", + "codepipeline:ListWebhooks", + "memorydb:DescribeACLs", + "memorydb:DescribeParameters", + "memorydb:DescribeSnapshots", + "memorydb:DescribeUsers", + "memorydb:ListTags", "mq:DescribeBroker", "mq:ListBrokers", "network-firewall:DescribeFirewall", @@ -183,8 +224,13 @@ resource "aws_iam_policy" "readonly-policy" { "network-firewall:DescribeFirewallPolicy", "personalize:DescribeDatasetGroup", "personalize:ListDatasetGroups", + "personalize:ListTagsForResource", "s3:List*", "secretsmanager:DescribeSecret", + "ses:ListEmailIdentities", + "ses:GetEmailIdentity", + "ses:ListConfigurationSets", + "ses:GetConfigurationSet", "sns:ListSubscriptions", "sns:ListTagsForResource", "sns:GetPlatformApplicationAttributes", @@ -195,7 +241,67 @@ resource "aws_iam_policy" "readonly-policy" { "translate:GetTerminology", "waf-regional:ListResourcesForWebACL", "wafv2:ListWebACLs", - "wafv2:ListResourcesForWebACL" + "wafv2:ListResourcesForWebACL", + "eks:ListFargateProfiles", + "eks:DescribeFargateProfile", + "ecr:GetRegistryScanningConfiguration", + "ecr:DescribeRegistry", + "appstream:DescribeUsageReportSubscriptions", + "aps:ListWorkspaces", + "aps:DescribeWorkspace", + "aps:DescribeLoggingConfiguration", + "cloudformation:ListTypes", + "cloudformation:DescribeType", + "cloudformation:BatchDescribeTypeConfigurations", + "amplify:ListApps", + "serverlessrepo:GetApplication", + "simspaceweaver:ListSimulations", + "simspaceweaver:ListTagsForResource", + "simspaceweaver:DescribeSimulation", + "grafana:DescribeWorkspace", + "mediaconvert:ListJobs", + "mediaconvert:ListPresets", + "mediaconvert:ListQueues", + "mediaconvert:ListTagsForResource", + "mediapackage:ListChannels", + "mediastore:ListTagsForResource", + "mediatailor:ListChannels", + "mediatailor:GetChannelPolicy", + "mediatailor:ListPlaybackConfigurations", + "mediatailor:ListSourceLocations", + "mediapackage:ListHarvestJobs", + "dataexchange:ListTagsForResource", + "dataexchange:ListEventActions", + "dataexchange:ListJobs", + "elastictranscoder:ListPresets", + "medialive:ListInputs", + "medialive:ListMultiplexes", + "medialive:ListReservations", + "medialive:ListInputSecurityGroups", + "drs:DescribeJobs", + "drs:DescribeJobLogItems", + "drs:DescribeSourceServers", + "drs:DescribeRecoverySnapshots", + "drs:DescribeSourceNetworks", + "drs:DescribeRecoveryInstances", + "drs:GetFailbackReplicationConfiguration", + "drs:DescribeReplicationConfigurationTemplates", + "drs:DescribeLaunchConfigurationTemplates", + "timestream:ListBatchLoadTasks", + "timestream:ListDatabases", + "timestream:ListTables", + "timestream:ListTagsForResource", + "timestream:DescribeEndpoints", + "signer:ListTagsForResource", + "signer:ListSigningJobs", + "signer:ListSigningPlatforms", + "signer:ListSigningProfiles", + "storagegateway:DescribeSMBFileShares", + "nimble:ListStudios", + "ds:ListTagsForResource", + "support:DescribeCases", + "support:DescribeSeverityLevels", + "outposts:ListOutposts" ], "Effect": "Allow", "Resource": "*"