From 707278f9db8d5a08a0b8e5d7c9f7b94c8d6d20a0 Mon Sep 17 00:00:00 2001 From: Mitul Sheth <97634367+mms2409@users.noreply.github.com> Date: Fri, 16 Feb 2024 10:13:16 -0500 Subject: [PATCH] fix: limit permissions --- modules/services/workload-scanning/main.tf | 6 +----- modules/services/workload-scanning/organizational.tf | 4 ---- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/services/workload-scanning/main.tf b/modules/services/workload-scanning/main.tf index 06f9678..983c165 100644 --- a/modules/services/workload-scanning/main.tf +++ b/modules/services/workload-scanning/main.tf @@ -31,11 +31,7 @@ data "aws_iam_policy_document" "scanning" { "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", "ecr:ListImages", - "ecr:DescribeImages", - "ecr:ListTagsForResource", "ecr:GetAuthorizationToken", ] @@ -49,7 +45,7 @@ resource "aws_iam_policy" "scanning" { count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 name = var.name - description = "Grants Sysdig Secure access to volumes and snapshots" + description = "Grants Sysdig Secure access to ECR images" policy = data.aws_iam_policy_document.scanning[0].json tags = var.tags } diff --git a/modules/services/workload-scanning/organizational.tf b/modules/services/workload-scanning/organizational.tf index 1f9a4bf..f3ee675 100644 --- a/modules/services/workload-scanning/organizational.tf +++ b/modules/services/workload-scanning/organizational.tf @@ -67,11 +67,7 @@ Resources: - "ecr:GetDownloadUrlForLayer" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" - - "ecr:GetRepositoryPolicy" - - "ecr:DescribeRepositories" - "ecr:ListImages" - - "ecr:DescribeImages" - - "ecr:ListTagsForResource" - "ecr:GetAuthorizationToken" Resource: "*"