fix(IAM): add missing permissions for Prowler (#1731)

Co-authored-by: sergargar <sergio@verica.io>
2026-01-25 02:08:11 +00:00 · 2023-01-18 11:45:37 +01:00
parent e3e3b3e279
commit 50070e8fe7
1 changed files with 19 additions and 3 deletions
--- a/permissions/prowler-additions-policy.json
+++ b/permissions/prowler-additions-policy.json
@@ -3,15 +3,22 @@
  "Statement": [
    {
      "Action": [
-        "ds:ListAuthorizedApplications",
+        "appstream:Describe*",
+        "codeartifact:List*",
+        "codebuild:BatchGet*",
+        "ds:Describe*",
+        "ds:Get*",
+        "ds:List*",
        "ec2:GetEbsEncryptionByDefault",
        "ecr:Describe*",
        "elasticfilesystem:DescribeBackupPolicy",
        "glue:GetConnections",
-        "glue:GetSecurityConfiguration",
+        "glue:GetSecurityConfiguration*",
        "glue:SearchTables",
-        "lambda:GetFunction",
+        "lambda:GetFunction*",
+        "macie2:GetMacieSession",
        "s3:GetAccountPublicAccessBlock",
+        "s3:GetPublicAccessBlock",
        "shield:DescribeProtection",
        "shield:GetSubscriptionState",
        "ssm:GetDocument",
@@ -21,6 +28,15 @@
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "AllowMoreReadForProwler"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:GET"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis/*"
+      ]
    }
  ]
 }