diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7257d09..f2ffa52 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,3 +22,7 @@
* 2.1.3 -- 2022-05-25
- update statements to check for create first
+
+* 2.2.0 -- 2022-07-19
+ - update policy, code structure
+ - remove access_key generation
diff --git a/README.md b/README.md
index e6e81ca..c34d2f7 100644
--- a/README.md
+++ b/README.md
@@ -1,27 +1,27 @@
# aws-security-audit
-This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
-is `s-inf-security-audit` and the group is `g-inf-security-audit`. It is granted NetworkAudit permissions
+
+This modulue sets up an IAM account and group for OIS to do scanning. By default, the IAM account
+is `s-inf-security-audit` and the group is `g-inf-security-audit`. It is granted SecurityAudit permissions
to be able to read most AWS resources.
+Additional permissions for use by [Tenable](https://docs.tenable.com/nessus/compliancechecksreference/Content/AWSIAMPolicy.htm) have also
+been included.
+
# Usage
```hcl
module "scanner" {
source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
- email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
- create_access_keys = true
- pgp_key = file(filename.b64)
-
## optional
- additional_policies = [ ]
- group = "g-audit-group"
- users = [ "s-ois-scan" ]
- contact = "badra001"
- reference = "INC1234"
+ # additional_policies = [ ]
+ # reference = "INC000000001234"
}
```
+Generation of access keys has been removed from this module, as we have a better more central way of
+handling that.
+
## Requirements
| Name | Version |
@@ -33,7 +33,6 @@ module "scanner" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | n/a |
-| [null](#provider\_null) | n/a |
## Modules
@@ -43,14 +42,11 @@ No modules.
| Name | Type |
|------|------|
-| [aws_iam_access_key.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_group.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
| [aws_iam_group_membership.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
-| [aws_iam_group_policy_attachment.audit_main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit_other](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [null_resource.audit_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy.aws-managed-security-audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
@@ -65,7 +61,7 @@ No modules.
| [create\_access\_keys](#input\_create\_access\_keys) | Set to 1 or true to create access keys | `bool` | `false` | no |
| [email\_addresses](#input\_email\_addresses) | Security Audit IAM Email Contact List(s) | `list(string)` | [
"ois.compliance.scanning.group@census.gov"
]
| no |
| [group](#input\_group) | Security Audit IAM group name | `string` | `"g-inf-security-audit"` | no |
-| [pgp\_key](#input\_pgp\_key) | PGP key used to encrypt access key | `string` | n/a | yes |
+| [pgp\_key](#input\_pgp\_key) | PGP key used to encrypt access key | `string` | `null` | no |
| [policy](#input\_policy) | Security Audit IAM Policy name | `string` | `"p-inf-security-audit"` | no |
| [reference](#input\_reference) | Remedy ticket reference number for the user | `string` | `""` | no |
| [users](#input\_users) | Security Audit IAM user name(s) | `list(string)` | [
"s-inf-security-audit"
]
| no |
@@ -74,7 +70,4 @@ No modules.
| Name | Description |
|------|-------------|
-| [aws\_access\_key\_id](#output\_aws\_access\_key\_id) | Access Key IDs for Users |
-| [aws\_info](#output\_aws\_info) | Access key, secret, and user map output |
-| [aws\_secret\_access\_key](#output\_aws\_secret\_access\_key) | Access Secret Key IDs for Users |
| [user](#output\_user) | Users created |
diff --git a/audit-output-creds.sh b/bin/audit-output-creds.sh
similarity index 100%
rename from audit-output-creds.sh
rename to bin/audit-output-creds.sh
diff --git a/data.tf b/data.tf
new file mode 100644
index 0000000..bb338ee
--- /dev/null
+++ b/data.tf
@@ -0,0 +1,6 @@
+data "aws_caller_identity" "current" {
+}
+
+data "aws_arn" "current" {
+ arn = data.aws_caller_identity.current.arn
+}
diff --git a/main.tf b/main.tf
index bd8c6de..cdc722b 100644
--- a/main.tf
+++ b/main.tf
@@ -1,27 +1,27 @@
/**
* # aws-security-audit
-* This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
-* is `s-inf-security-audit` and the group is `g-inf-security-audit`. It is granted NetworkAudit permissions
+*
+* This modulue sets up an IAM account and group for OIS to do scanning. By default, the IAM account
+* is `s-inf-security-audit` and the group is `g-inf-security-audit`. It is granted SecurityAudit permissions
* to be able to read most AWS resources.
*
+* Additional permissions for use by [Tenable](https://docs.tenable.com/nessus/compliancechecksreference/Content/AWSIAMPolicy.htm) have also
+* been included.
+*
* # Usage
*
* ```hcl
* module "scanner" {
* source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
*
-* email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
-* create_access_keys = true
-* pgp_key = file(filename.b64)
-*
* ## optional
-* additional_policies = [ ]
-* group = "g-audit-group"
-* users = [ "s-ois-scan" ]
-* contact = "badra001"
-* reference = "INC1234"
+* # additional_policies = [ ]
+* # reference = "INC000000001234"
* }
* ```
+*
+* Generation of access keys has been removed from this module, as we have a better more central way of
+* handling that.
*/
locals {
@@ -29,11 +29,12 @@ locals {
"boc:tf_module_version" = local._module_version
"boc:created_by" = "terraform"
}
+
# security-audit-policies = [ data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn ]
- enable_access_keys = var.create_access_keys ? length(var.users) : 0
- contact = lower(var.contact)
- email_address = join(",", [for e in var.email_addresses : lower(e)])
- tags_email = { "boc:id:mail" = local.email_address }
+ # enable_access_keys = var.create_access_keys ? length(var.users) : 0
+ contact = lower(var.contact)
+ email_address = join(",", [for e in var.email_addresses : lower(e)])
+ tags_email = { "boc:id:mail" = local.email_address }
tags_contact = {
exists = {
"boc:id:username" = local.contact
@@ -51,36 +52,22 @@ locals {
local.tags_email,
local.tags_reference[var.reference != "" ? "exists" : "not_exists"]
)
- aws_access_key_id = concat(aws_iam_access_key.audit[*].id, [])
- aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, [])
-
- policies = compact(concat([data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
-}
-
-#---
-# used to get the partition from arn
-#---
-data "aws_caller_identity" "current" {
-}
-
-data "aws_arn" "current" {
- arn = data.aws_caller_identity.current.arn
+ # aws_access_key_id = concat(aws_iam_access_key.audit[*].id, [])
+ # aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, [])
+ # policies = compact(concat([data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
}
#---
# user setup
#---
resource "aws_iam_user" "audit" {
- count = length(var.users)
- name = var.users[count.index]
+ for_each = toset(var.users)
+ name = each.key
+
tags = merge(
local.base_tags,
local.tags,
)
- # tags = {
- # "EmailAddress" = var.email_addresses[count.index]
- # }
-
lifecycle {
ignore_changes = [tags["boc:tf_module_version"]]
@@ -98,11 +85,10 @@ resource "aws_iam_group" "audit" {
# group membership
#---
resource "aws_iam_group_membership" "audit" {
- count = length(var.users)
- name = var.group
- group = aws_iam_group.audit.name
- users = var.users
- depends_on = [aws_iam_user.audit]
+ for_each = aws_iam_user.audit
+ name = var.group
+ group = aws_iam_group.audit.name
+ users = each.value.name
}
#---
@@ -111,9 +97,20 @@ resource "aws_iam_group_membership" "audit" {
#---
data "aws_iam_policy_document" "audit" {
statement {
- sid = "AdditionalSecurityAuditpermissions"
- effect = "Allow"
- actions = ["support:DescribeTrustedAdvisorChecks"]
+ sid = "AdditionalSecurityAuditpermissions"
+ effect = "Allow"
+ actions = [
+ "cloudtrail:Describe*",
+ "cloudtrail:Get*",
+ "cloudtrail:List*",
+ "cloudwatch:List*",
+ "logs:Get*",
+ "rds:List*",
+ "sns:Get*",
+ "sns:List*",
+ "support:Describe*",
+ # "support:DescribeTrustedAdvisorChecks",
+ ]
resources = ["*"]
}
}
@@ -126,34 +123,36 @@ resource "aws_iam_policy" "audit" {
}
data "aws_iam_policy" "aws-managed-security-audit" {
- arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
+ # arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
+ name = "SecurityAudit"
}
-resource "aws_iam_group_policy_attachment" "audit_main" {
- group = aws_iam_group.audit.name
- policy_arn = aws_iam_policy.audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "audit_other" {
- for_each = toset(local.policies)
+resource "aws_iam_group_policy_attachment" "audit" {
+ for_each = toset(compcat(concat([data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn], var.additional_policies)))
group = aws_iam_group.audit.name
policy_arn = each.key
}
+#resource "aws_iam_group_policy_attachment" "audit_other" {
+# for_each = toset(local.policies)
+# group = aws_iam_group.audit.name
+# policy_arn = each.key
+#}
+#
#---
# access key (not for rotation)
#---
-resource "aws_iam_access_key" "audit" {
- count = local.enable_access_keys
- user = aws_iam_user.audit[count.index].name
- pgp_key = var.pgp_key
-}
-
-resource "null_resource" "audit_output" {
- count = length(var.users)
- triggers = {
- user = var.create_access_keys ? element(aws_iam_user.audit[*].name, count.index) : null
- aws_access_key_id = var.create_access_keys ? element(local.aws_access_key_id, count.index) : null
- aws_secret_access_key = var.create_access_keys ? element(local.aws_secret_access_key, count.index) : null
- }
-}
+# resource "aws_iam_access_key" "audit" {
+# count = local.enable_access_keys
+# user = aws_iam_user.audit[count.index].name
+# pgp_key = var.pgp_key
+# }
+#
+# resource "null_resource" "audit_output" {
+# count = length(var.users)
+# triggers = {
+# user = var.create_access_keys ? element(aws_iam_user.audit[*].name, count.index) : null
+# aws_access_key_id = var.create_access_keys ? element(local.aws_access_key_id, count.index) : null
+# aws_secret_access_key = var.create_access_keys ? element(local.aws_secret_access_key, count.index) : null
+# }
+# }
diff --git a/outputs.tf b/outputs.tf
index 3faba88..60acd86 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,28 +1,28 @@
output "user" {
description = "Users created"
- value = var.create_access_keys ? aws_iam_user.audit[*].name : []
+ value = var.users
}
-output "aws_access_key_id" {
- description = "Access Key IDs for Users"
- value = var.create_access_keys ? aws_iam_access_key.audit[*].id : []
-}
-
-locals {
- # encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
- # encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
- # notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
- # secret = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
- # secret = local.encrypted_secret
-}
-
-output "aws_secret_access_key" {
- description = "Access Secret Key IDs for Users"
- # value = [split(",", local.secret)]
- value = var.create_access_keys ? aws_iam_access_key.audit[*].encrypted_secret : []
-}
-
-output "aws_info" {
- description = "Access key, secret, and user map output"
- value = var.create_access_keys ? tomap(null_resource.audit_output[*].triggers) : {}
-}
+## output "aws_access_key_id" {
+## description = "Access Key IDs for Users"
+## value = var.create_access_keys ? aws_iam_access_key.audit[*].id : []
+## }
+##
+## locals {
+## # encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
+## # encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+## # notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+## # secret = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+## # secret = local.encrypted_secret
+## }
+##
+## output "aws_secret_access_key" {
+## description = "Access Secret Key IDs for Users"
+## # value = [split(",", local.secret)]
+## value = var.create_access_keys ? aws_iam_access_key.audit[*].encrypted_secret : []
+## }
+##
+## output "aws_info" {
+## description = "Access key, secret, and user map output"
+## value = var.create_access_keys ? tomap(null_resource.audit_output[*].triggers) : {}
+## }
diff --git a/policy.diffs.txt b/policy.diffs.txt
new file mode 100644
index 0000000..7889583
--- /dev/null
+++ b/policy.diffs.txt
@@ -0,0 +1,73 @@
+# iam:List
+ "iam:List*",
+# iam:Get
+ "iam:Get*",
+# iam:GetCredentialReport
+# ec2:Describe
+ "ec2:Describe*",
+ "ec2:DescribeTransitGatewayAttachments",
+ "ec2:DescribeTransitGatewayMulticastDomains",
+ "ec2:DescribeTransitGatewayPeeringAttachments",
+ "ec2:DescribeTransitGatewayRouteTables",
+ "ec2:DescribeTransitGatewayVpcAttachments",
+ "ec2:DescribeTransitGateways",
+# autoscaling:Describe
+ "application-autoscaling:Describe*",
+ "autoscaling:Describe*",
+# elasticloadbalancing:Describe
+ "elasticloadbalancing:Describe*",
+# cloudwatch:List
+ "cloudwatch:ListTagsForResource",
+# cloudwatch:Get
+# cloudwatch:Describe
+ "cloudwatch:Describe*",
+# rds:List
+ "rds:ListTagsForResource",
+# rds:Describe
+ "rds:Describe*",
+# sns:List
+ "sns:ListSubscriptions",
+ "sns:ListSubscriptionsByTopic",
+ "sns:ListTagsForResource",
+ "sns:ListTopics",
+# sns:Get
+ "sns:GetTopicAttributes",
+# support:Describe
+ "support:DescribeTrustedAdvisorCheckRefreshStatuses",
+ "support:DescribeTrustedAdvisorCheckResult",
+ "support:DescribeTrustedAdvisorCheckSummaries",
+ "support:DescribeTrustedAdvisorChecks",
+# cloudtrail:List
+ "cloudtrail:ListTags",
+# cloudtrail:Get
+ "cloudtrail:GetEventSelectors",
+ "cloudtrail:GetTrailStatus",
+# cloudtrail:Describe
+ "cloudtrail:DescribeTrails",
+# logs:Describe
+ "logs:Describe*",
+# logs:Get
+# kms:List
+ "kms:List*",
+# kms:Get
+ "kms:Get*",
+# kms:Describe
+ "kms:Describe*",
+# config:List
+ "config:List*",
+# config:Get
+ "config:Get*",
+# config:Describe
+ "config:Describe*",
+
+## NEW
+
+cloudwatch:List*
+rds:List*
+sns:List*
+sns:Get*
+support:Describe*
+cloudtrail:List*
+cloudtrail:Get*
+cloudtrail:Describe*
+logs:Get*
diff --git a/policy.securityaudit.json b/policy.securityaudit.json
new file mode 100644
index 0000000..c2b00b9
--- /dev/null
+++ b/policy.securityaudit.json
@@ -0,0 +1,443 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Resource": "*",
+ "Action": [
+ "access-analyzer:GetAnalyzedResource",
+ "access-analyzer:GetAnalyzer",
+ "access-analyzer:GetArchiveRule",
+ "access-analyzer:GetFinding",
+ "access-analyzer:ListAnalyzedResources",
+ "access-analyzer:ListAnalyzers",
+ "access-analyzer:ListArchiveRules",
+ "access-analyzer:ListFindings",
+ "access-analyzer:ListTagsForResource",
+ "acm-pca:ListPermissions",
+ "acm:Describe*",
+ "acm:List*",
+ "application-autoscaling:Describe*",
+ "appmesh:Describe*",
+ "appmesh:List*",
+ "appsync:List*",
+ "athena:GetWorkGroup",
+ "athena:List*",
+ "autoscaling-plans:DescribeScalingPlans",
+ "autoscaling:Describe*",
+ "batch:DescribeComputeEnvironments",
+ "batch:DescribeJobDefinitions",
+ "chime:List*",
+ "cloud9:Describe*",
+ "cloud9:ListEnvironments",
+ "clouddirectory:ListDirectories",
+ "cloudformation:DescribeStack*",
+ "cloudformation:GetStackPolicy",
+ "cloudformation:GetTemplate",
+ "cloudformation:ListStack*",
+ "cloudfront:Get*",
+ "cloudfront:List*",
+ "cloudhsm:ListHapgs",
+ "cloudhsm:ListHsms",
+ "cloudhsm:ListLunaClients",
+ "cloudsearch:DescribeDomainEndpointOptions",
+ "cloudsearch:DescribeDomains",
+ "cloudsearch:DescribeServiceAccessPolicies",
+ "cloudtrail:DescribeTrails",
+ "cloudtrail:GetEventSelectors",
+ "cloudtrail:GetTrailStatus",
+ "cloudtrail:ListTags",
+ "cloudtrail:LookupEvents",
+ "cloudwatch:Describe*",
+ "cloudwatch:ListTagsForResource",
+ "codebuild:ListProjects",
+ "codecommit:BatchGetRepositories",
+ "codecommit:GetBranch",
+ "codecommit:GetObjectIdentifier",
+ "codecommit:GetRepository",
+ "codecommit:GetRepositoryTriggers",
+ "codecommit:List*",
+ "codedeploy:Batch*",
+ "codedeploy:Get*",
+ "codedeploy:List*",
+ "codepipeline:GetJobDetails",
+ "codepipeline:GetPipeline",
+ "codepipeline:GetPipelineExecution",
+ "codepipeline:GetPipelineState",
+ "codepipeline:ListPipelines",
+ "codestar:Describe*",
+ "codestar:List*",
+ "cognito-identity:ListIdentityPools",
+ "cognito-idp:DescribeIdentityProvider",
+ "cognito-idp:DescribeResourceServer",
+ "cognito-idp:DescribeRiskConfiguration",
+ "cognito-idp:DescribeUserImportJob",
+ "cognito-idp:DescribeUserPool",
+ "cognito-idp:DescribeUserPoolClient",
+ "cognito-idp:DescribeUserPoolDomain",
+ "cognito-idp:ListDevices",
+ "cognito-idp:ListGroups",
+ "cognito-idp:ListIdentityProviders",
+ "cognito-idp:ListResourceServers",
+ "cognito-idp:ListTagsForResource",
+ "cognito-idp:ListUserImportJobs",
+ "cognito-idp:ListUserPoolClients",
+ "cognito-idp:ListUserPools",
+ "cognito-idp:ListUsers",
+ "cognito-idp:ListUsersInGroup",
+ "cognito-sync:Describe*",
+ "cognito-sync:List*",
+ "comprehend:Describe*",
+ "comprehend:List*",
+ "config:BatchGetAggregateResourceConfig",
+ "config:BatchGetResourceConfig",
+ "config:Deliver*",
+ "config:Describe*",
+ "config:Get*",
+ "config:List*",
+ "datapipeline:DescribeObjects",
+ "datapipeline:DescribePipelines",
+ "datapipeline:EvaluateExpression",
+ "datapipeline:GetPipelineDefinition",
+ "datapipeline:ListPipelines",
+ "datapipeline:QueryObjects",
+ "datapipeline:ValidatePipelineDefinition",
+ "datasync:Describe*",
+ "datasync:List*",
+ "dax:Describe*",
+ "dax:ListTags",
+ "detective:GetGraphIngestState",
+ "detective:ListGraphs",
+ "detective:ListMembers",
+ "directconnect:Describe*",
+ "dms:Describe*",
+ "dms:ListTagsForResource",
+ "ds:DescribeDirectories",
+ "dynamodb:DescribeContinuousBackups",
+ "dynamodb:DescribeGlobalTable",
+ "dynamodb:DescribeTable",
+ "dynamodb:DescribeTimeToLive",
+ "dynamodb:ListBackups",
+ "dynamodb:ListGlobalTables",
+ "dynamodb:ListStreams",
+ "dynamodb:ListTables",
+ "dynamodb:ListTagsOfResource",
+ "ec2:Describe*",
+ "ec2:DescribeTransitGatewayAttachments",
+ "ec2:DescribeTransitGatewayMulticastDomains",
+ "ec2:DescribeTransitGatewayPeeringAttachments",
+ "ec2:DescribeTransitGatewayRouteTables",
+ "ec2:DescribeTransitGatewayVpcAttachments",
+ "ec2:DescribeTransitGateways",
+ "ec2:GetManagedPrefixListAssociations",
+ "ec2:GetManagedPrefixListEntries",
+ "ec2:GetTransitGatewayAttachmentPropagations",
+ "ec2:GetTransitGatewayMulticastDomainAssociations",
+ "ec2:GetTransitGatewayPrefixListReferences",
+ "ec2:GetTransitGatewayRouteTableAssociations",
+ "ec2:GetTransitGatewayRouteTablePropagations",
+ "ecr-public:DescribeImageTags",
+ "ecr-public:DescribeImages",
+ "ecr-public:DescribeRegistries",
+ "ecr-public:DescribeRepositories",
+ "ecr-public:GetRegistryCatalogData",
+ "ecr-public:GetRepositoryCatalogData",
+ "ecr-public:GetRepositoryPolicy",
+ "ecr:DescribeImageScanFindings",
+ "ecr:DescribeImages",
+ "ecr:DescribeRepositories",
+ "ecr:GetLifecyclePolicy",
+ "ecr:GetRepositoryPolicy",
+ "ecr:ListImages",
+ "ecr:ListTagsForResource",
+ "ecs:Describe*",
+ "ecs:List*",
+ "eks:DescribeCluster",
+ "eks:DescribeNodeGroup",
+ "eks:ListClusters",
+ "eks:ListNodeGroups",
+ "elasticache:Describe*",
+ "elasticache:ListTagsForResource",
+ "elasticbeanstalk:Describe*",
+ "elasticbeanstalk:DescribeApplications",
+ "elasticbeanstalk:ListTagsForResource",
+ "elasticfilesystem:DescribeFileSystems",
+ "elasticfilesystem:DescribeMountTargetSecurityGroups",
+ "elasticfilesystem:DescribeMountTargets",
+ "elasticloadbalancing:Describe*",
+ "elasticmapreduce:Describe*",
+ "elasticmapreduce:GetBlockPublicAccessConfiguration",
+ "elasticmapreduce:ListClusters",
+ "elasticmapreduce:ListInstances",
+ "elasticmapreduce:ListSecurityConfigurations",
+ "es:Describe*",
+ "es:ListDomainNames",
+ "es:ListElasticsearchInstanceTypeDetails",
+ "es:ListElasticsearchVersions",
+ "es:ListTags",
+ "events:Describe*",
+ "events:List*",
+ "events:TestEventPattern",
+ "firehose:Describe*",
+ "firehose:List*",
+ "fms:ListComplianceStatus",
+ "fms:ListPolicies",
+ "fsx:Describe*",
+ "fsx:List*",
+ "gamelift:ListBuilds",
+ "gamelift:ListFleets",
+ "glacier:DescribeVault",
+ "glacier:GetVaultAccessPolicy",
+ "glacier:ListVaults",
+ "globalaccelerator:Describe*",
+ "globalaccelerator:List*",
+ "glue:GetCrawlers",
+ "glue:GetDataCatalogEncryptionSettings",
+ "glue:GetDatabases",
+ "glue:GetDevEndpoints",
+ "glue:GetJobs",
+ "greengrass:List*",
+ "guardduty:DescribePublishingDestination",
+ "guardduty:Get*",
+ "guardduty:List*",
+ "iam:GenerateCredentialReport",
+ "iam:GenerateServiceLastAccessedDetails",
+ "iam:Get*",
+ "iam:List*",
+ "iam:SimulateCustomPolicy",
+ "iam:SimulatePrincipalPolicy",
+ "inspector:Describe*",
+ "inspector:Get*",
+ "inspector:List*",
+ "inspector:Preview*",
+ "iot:Describe*",
+ "iot:GetPolicy",
+ "iot:GetPolicyVersion",
+ "iot:List*",
+ "kinesis:DescribeLimits",
+ "kinesis:DescribeStream",
+ "kinesis:DescribeStreamConsumer",
+ "kinesis:DescribeStreamSummary",
+ "kinesis:ListStreamConsumers",
+ "kinesis:ListStreams",
+ "kinesis:ListTagsForStream",
+ "kinesisanalytics:ListApplications",
+ "kms:Describe*",
+ "kms:Get*",
+ "kms:List*",
+ "lambda:GetAccountSettings",
+ "lambda:GetFunctionConfiguration",
+ "lambda:GetFunctionEventInvokeConfig",
+ "lambda:GetLayerVersionPolicy",
+ "lambda:GetPolicy",
+ "lambda:List*",
+ "license-manager:List*",
+ "lightsail:GetInstances",
+ "lightsail:GetLoadBalancers",
+ "logs:Describe*",
+ "logs:ListTagsLogGroup",
+ "machinelearning:DescribeMLModels",
+ "mediaconnect:Describe*",
+ "mediaconnect:List*",
+ "mediastore:GetContainerPolicy",
+ "mediastore:ListContainers",
+ "mq:DescribeBroker",
+ "mq:DescribeBrokerEngineTypes",
+ "mq:DescribeBrokerInstanceOptions",
+ "mq:DescribeConfiguration",
+ "mq:DescribeConfigurationRevision",
+ "mq:DescribeUser",
+ "mq:ListBrokers",
+ "mq:ListConfigurationRevisions",
+ "mq:ListConfigurations",
+ "mq:ListTags",
+ "mq:ListUsers",
+ "network-firewall:ListFirewalls",
+ "opsworks-cm:DescribeServers",
+ "opsworks:DescribeStacks",
+ "organizations:Describe*",
+ "organizations:List*",
+ "quicksight:Describe*",
+ "quicksight:List*",
+ "ram:List*",
+ "rds:Describe*",
+ "rds:DownloadDBLogFilePortion",
+ "rds:ListTagsForResource",
+ "redshift:Describe*",
+ "rekognition:Describe*",
+ "rekognition:List*",
+ "robomaker:Describe*",
+ "robomaker:List*",
+ "route53:Get*",
+ "route53:List*",
+ "route53domains:GetDomainDetail",
+ "route53domains:GetOperationDetail",
+ "route53domains:ListDomains",
+ "route53domains:ListOperations",
+ "route53domains:ListTagsForDomain",
+ "route53resolver:Get*",
+ "route53resolver:List*",
+ "s3:GetAccelerateConfiguration",
+ "s3:GetAccessPoint",
+ "s3:GetAccessPointPolicy",
+ "s3:GetAccessPointPolicyStatus",
+ "s3:GetAccountPublicAccessBlock",
+ "s3:GetAnalyticsConfiguration",
+ "s3:GetBucket*",
+ "s3:GetEncryptionConfiguration",
+ "s3:GetInventoryConfiguration",
+ "s3:GetLifecycleConfiguration",
+ "s3:GetMetricsConfiguration",
+ "s3:GetObjectAcl",
+ "s3:GetObjectVersionAcl",
+ "s3:GetReplicationConfiguration",
+ "s3:ListAccessPoints",
+ "s3:ListAllMyBuckets",
+ "sagemaker:Describe*",
+ "sagemaker:List*",
+ "schemas:DescribeCodeBinding",
+ "schemas:DescribeDiscoverer",
+ "schemas:DescribeRegistry",
+ "schemas:DescribeSchema",
+ "schemas:ListDiscoverers",
+ "schemas:ListRegistries",
+ "schemas:ListSchemaVersions",
+ "schemas:ListSchemas",
+ "schemas:ListTagsForResource",
+ "sdb:DomainMetadata",
+ "sdb:ListDomains",
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:ListSecretVersionIds",
+ "secretsmanager:ListSecrets",
+ "securityhub:Describe*",
+ "securityhub:Get*",
+ "securityhub:List*",
+ "serverlessrepo:GetApplicationPolicy",
+ "serverlessrepo:List*",
+ "servicequotas:GetAWSDefaultServiceQuota",
+ "servicequotas:GetAssociationForServiceQuotaTemplate",
+ "servicequotas:GetRequestedServiceQuotaChange",
+ "servicequotas:GetServiceQuota",
+ "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
+ "servicequotas:ListAWSDefaultServiceQuotas",
+ "servicequotas:ListRequestedServiceQuotaChangeHistory",
+ "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
+ "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
+ "servicequotas:ListServiceQuotas",
+ "servicequotas:ListServices",
+ "servicequotas:ListTagsForResource",
+ "ses:GetIdentityDkimAttributes",
+ "ses:GetIdentityPolicies",
+ "ses:GetIdentityVerificationAttributes",
+ "ses:ListIdentities",
+ "ses:ListIdentityPolicies",
+ "ses:ListVerifiedEmailAddresses",
+ "shield:Describe*",
+ "shield:List*",
+ "snowball:ListClusters",
+ "snowball:ListJobs",
+ "sns:GetTopicAttributes",
+ "sns:ListSubscriptions",
+ "sns:ListSubscriptionsByTopic",
+ "sns:ListTagsForResource",
+ "sns:ListTopics",
+ "sqs:GetQueueAttributes",
+ "sqs:ListDeadLetterSourceQueues",
+ "sqs:ListQueueTags",
+ "sqs:ListQueues",
+ "ssm:Describe*",
+ "ssm:GetAutomationExecution",
+ "ssm:ListAssociationVersions",
+ "ssm:ListAssociations",
+ "ssm:ListCommands",
+ "ssm:ListComplianceItems",
+ "ssm:ListComplianceSummaries",
+ "ssm:ListDocumentMetadataHistory",
+ "ssm:ListDocumentVersions",
+ "ssm:ListDocuments",
+ "ssm:ListInventoryEntries",
+ "ssm:ListOpsMetadata",
+ "ssm:ListResourceComplianceSummaries",
+ "ssm:ListResourceDataSync",
+ "ssm:ListTagsForResource",
+ "sso:DescribePermissionsPolicies",
+ "sso:List*",
+ "states:ListStateMachines",
+ "storagegateway:DescribeBandwidthRateLimit",
+ "storagegateway:DescribeCache",
+ "storagegateway:DescribeCachediSCSIVolumes",
+ "storagegateway:DescribeGatewayInformation",
+ "storagegateway:DescribeMaintenanceStartTime",
+ "storagegateway:DescribeNFSFileShares",
+ "storagegateway:DescribeSnapshotSchedule",
+ "storagegateway:DescribeStorediSCSIVolumes",
+ "storagegateway:DescribeTapeArchives",
+ "storagegateway:DescribeTapeRecoveryPoints",
+ "storagegateway:DescribeTapes",
+ "storagegateway:DescribeUploadBuffer",
+ "storagegateway:DescribeVTLDevices",
+ "storagegateway:DescribeWorkingStorage",
+ "storagegateway:List*",
+ "support:DescribeTrustedAdvisorCheckRefreshStatuses",
+ "support:DescribeTrustedAdvisorCheckResult",
+ "support:DescribeTrustedAdvisorCheckSummaries",
+ "support:DescribeTrustedAdvisorChecks",
+ "tag:GetResources",
+ "tag:GetTagKeys",
+ "transfer:Describe*",
+ "transfer:List*",
+ "translate:List*",
+ "trustedadvisor:Describe*",
+ "waf-regional:GetWebACL",
+ "waf-regional:ListResourcesForWebACL",
+ "waf-regional:ListTagsForResource",
+ "waf-regional:ListWebACLs",
+ "waf:GetWebACL",
+ "waf:ListTagsForResource",
+ "waf:ListWebACLs",
+ "wafv2:GetWebACL",
+ "wafv2:ListAvailableManagedRuleGroups",
+ "wafv2:ListIPSets",
+ "wafv2:ListLoggingConfigurations",
+ "wafv2:ListRegexPatternSets",
+ "wafv2:ListResourcesForWebACL",
+ "wafv2:ListRuleGroups",
+ "wafv2:ListTagsForResource",
+ "wafv2:ListWebACLs",
+ "workdocs:DescribeResourcePermissions",
+ "workspaces:Describe*",
+ "xray:GetEncryptionConfig",
+ "xray:GetGroup",
+ "xray:GetGroups",
+ "xray:GetSamplingRules",
+ "xray:GetSamplingTargets",
+ "xray:ListTagsForResource"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "apigateway:GET"
+ ],
+ "Resource": [
+ "arn:aws-us-gov:apigateway:*::/apis",
+ "arn:aws-us-gov:apigateway:*::/apis/*/routes",
+ "arn:aws-us-gov:apigateway:*::/apis/*/stages",
+ "arn:aws-us-gov:apigateway:*::/apis/*/stages/*",
+ "arn:aws-us-gov:apigateway:*::/clientcertificates/*",
+ "arn:aws-us-gov:apigateway:*::/restapis",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/authorizers",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/authorizers/*",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/documentation/versions",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/resources",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/resources/*",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/resources/*/methods/*",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/stages",
+ "arn:aws-us-gov:apigateway:*::/restapis/*/stages/*",
+ "arn:aws-us-gov:apigateway:*::/tags/*",
+ "arn:aws-us-gov:apigateway:*::/vpclinks"
+ ]
+ }
+ ]
+}
diff --git a/policy.tenable.json b/policy.tenable.json
new file mode 100644
index 0000000..b238681
--- /dev/null
+++ b/policy.tenable.json
@@ -0,0 +1,36 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "iam:List*",
+ "iam:Get*",
+ "iam:GetCredentialReport"
+ "ec2:Describe*",
+ "autoscaling:Describe*",
+ "elasticloadbalancing:Describe*",
+ "cloudwatch:List*",
+ "cloudwatch:Get*",
+ "cloudwatch:Describe*",
+ "rds:List*",
+ "rds:Describe*",
+ "sns:List*",
+ "sns:Get*",
+ "support:Describe*",
+ "cloudtrail:List*",
+ "cloudtrail:Get*",
+ "cloudtrail:Describe*",
+ "logs:Describe*",
+ "logs:Get*",
+ "kms:List*",
+ "kms:Get*",
+ "kms:Describe*",
+ "config:List*",
+ "config:Get*",
+ "config:Describe*"
+ ],
+ "Effect": "Allow",
+ "Resource": "*"
+ }
+ ]
+}
diff --git a/variables.tf b/variables.tf
index a66b206..9e0f303 100644
--- a/variables.tf
+++ b/variables.tf
@@ -33,7 +33,7 @@ variable "create_access_keys" {
variable "pgp_key" {
description = "PGP key used to encrypt access key"
type = string
- # default = ""
+ default = null
}
variable "contact" {
diff --git a/version.tf b/version.tf
index e489cd7..d3e2658 100644
--- a/version.tf
+++ b/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.1.3"
+ _module_version = "2.2.0"
}