chore(aws): handle new permissions (#4289)

This commit is contained in:
Pedro Martín
2024-06-24 18:14:20 +02:00
committed by GitHub
parent d173d58a93
commit 4837df4352
4 changed files with 14 additions and 2 deletions
@@ -65,13 +65,16 @@ Resources:
- 'ds:Get*'
- 'ds:Describe*'
- 'ds:List*'
- 'dynamodb:GetResourcePolicy'
- 'ec2:GetEbsEncryptionByDefault'
- 'ec2:GetInstanceMetadataDefaults'
- 'ecr:Describe*'
- 'elasticfilesystem:DescribeBackupPolicy'
- 'glue:GetConnections'
- 'glue:GetSecurityConfiguration*'
- 'glue:SearchTables'
- 'lambda:GetFunction*'
- 'lightsail:GetRelationalDatabases'
- 'macie2:GetMacieSession'
- 's3:GetAccountPublicAccessBlock'
- 'shield:DescribeProtection'
@@ -16,7 +16,9 @@
"ds:Get*",
"ds:Describe*",
"ds:List*",
"dynamodb:GetResourcePolicy",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetInstanceMetadataDefaults",
"ecr:Describe*",
"ecr:GetRegistryScanningConfiguration",
"elasticfilesystem:DescribeBackupPolicy",
@@ -25,6 +27,7 @@
"glue:SearchTables",
"lambda:GetFunction*",
"logs:FilterLogEvents",
"lightsail:GetRelationalDatabases",
"macie2:GetMacieSession",
"s3:GetAccountPublicAccessBlock",
"shield:DescribeProtection",
@@ -124,10 +124,14 @@ class Schema(AWSService):
)
def __get_resource_policy__(self, regional_client):
logger.info("EventBridge - Describing Event Buses...")
logger.info("EventBridge - Getting Registry Resource Policy...")
try:
for registry in self.registries.values():
if registry.region == regional_client.region:
# Only get the policy for the registry in the same region and not AWS owned
if (
registry.region == regional_client.region
and not registry.name.startswith("aws.")
):
try:
response = regional_client.get_resource_policy(
RegistryName=registry.name
@@ -49,6 +49,8 @@ class FMS(AWSService):
if (
"No default admin could be found for account"
in error.response["Error"]["Message"]
or "Operation ListPolicies is only available to AWS Firewall Manager Administrators"
in error.response["Error"]["Message"]
):
# FMS is not enabled in this account
self.fms_admin_account = False