From 4837df4352307dcbae7a885798931dc3efb72831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Mon, 24 Jun 2024 18:14:20 +0200 Subject: [PATCH] chore(aws): handle new permissions (#4289) --- permissions/create_role_to_assume_cfn.yaml | 3 +++ permissions/prowler-additions-policy.json | 3 +++ .../aws/services/eventbridge/eventbridge_service.py | 8 ++++++-- prowler/providers/aws/services/fms/fms_service.py | 2 ++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/permissions/create_role_to_assume_cfn.yaml b/permissions/create_role_to_assume_cfn.yaml index f64a1ae89d..f9cb20e30a 100644 --- a/permissions/create_role_to_assume_cfn.yaml +++ b/permissions/create_role_to_assume_cfn.yaml @@ -65,13 +65,16 @@ Resources: - 'ds:Get*' - 'ds:Describe*' - 'ds:List*' + - 'dynamodb:GetResourcePolicy' - 'ec2:GetEbsEncryptionByDefault' + - 'ec2:GetInstanceMetadataDefaults' - 'ecr:Describe*' - 'elasticfilesystem:DescribeBackupPolicy' - 'glue:GetConnections' - 'glue:GetSecurityConfiguration*' - 'glue:SearchTables' - 'lambda:GetFunction*' + - 'lightsail:GetRelationalDatabases' - 'macie2:GetMacieSession' - 's3:GetAccountPublicAccessBlock' - 'shield:DescribeProtection' diff --git a/permissions/prowler-additions-policy.json b/permissions/prowler-additions-policy.json index cb716becac..6fd80a8d8c 100644 --- a/permissions/prowler-additions-policy.json +++ b/permissions/prowler-additions-policy.json @@ -16,7 +16,9 @@ "ds:Get*", "ds:Describe*", "ds:List*", + "dynamodb:GetResourcePolicy", "ec2:GetEbsEncryptionByDefault", + "ec2:GetInstanceMetadataDefaults", "ecr:Describe*", "ecr:GetRegistryScanningConfiguration", "elasticfilesystem:DescribeBackupPolicy", @@ -25,6 +27,7 @@ "glue:SearchTables", "lambda:GetFunction*", "logs:FilterLogEvents", + "lightsail:GetRelationalDatabases", "macie2:GetMacieSession", "s3:GetAccountPublicAccessBlock", "shield:DescribeProtection", diff --git a/prowler/providers/aws/services/eventbridge/eventbridge_service.py b/prowler/providers/aws/services/eventbridge/eventbridge_service.py index c84904477b..e9498e4f55 100644 --- a/prowler/providers/aws/services/eventbridge/eventbridge_service.py +++ b/prowler/providers/aws/services/eventbridge/eventbridge_service.py @@ -124,10 +124,14 @@ class Schema(AWSService): ) def __get_resource_policy__(self, regional_client): - logger.info("EventBridge - Describing Event Buses...") + logger.info("EventBridge - Getting Registry Resource Policy...") try: for registry in self.registries.values(): - if registry.region == regional_client.region: + # Only get the policy for the registry in the same region and not AWS owned + if ( + registry.region == regional_client.region + and not registry.name.startswith("aws.") + ): try: response = regional_client.get_resource_policy( RegistryName=registry.name diff --git a/prowler/providers/aws/services/fms/fms_service.py b/prowler/providers/aws/services/fms/fms_service.py index 51322e3244..80dd8fb733 100644 --- a/prowler/providers/aws/services/fms/fms_service.py +++ b/prowler/providers/aws/services/fms/fms_service.py @@ -49,6 +49,8 @@ class FMS(AWSService): if ( "No default admin could be found for account" in error.response["Error"]["Message"] + or "Operation ListPolicies is only available to AWS Firewall Manager Administrators" + in error.response["Error"]["Message"] ): # FMS is not enabled in this account self.fms_admin_account = False