diff --git a/policies/IAMAuditRootUserCredentials b/policies/IAMAuditRootUserCredentials new file mode 100644 index 0000000000..02d0438d75 --- /dev/null +++ b/policies/IAMAuditRootUserCredentials @@ -0,0 +1,39 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-06T22:27:58Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "iam:ListAccessKeys", + "iam:ListSigningCertificates", + "iam:GetLoginProfile", + "iam:ListMFADevices", + "iam:GetAccountSummary", + "iam:GetUser", + "iam:GetAccessKeyLastUsed" + ], + "Resource": "*", + "Effect": "Deny", + "Sid": "DenyAllOtherActionsOnAnyResource" + }, + { + "Action": [ + "iam:ListAccessKeys", + "iam:ListSigningCertificates", + "iam:GetLoginProfile", + "iam:ListMFADevices", + "iam:GetUser", + "iam:GetAccessKeyLastUsed" + ], + "NotResource": "arn:aws:iam::*:root", + "Effect": "Deny", + "Sid": "DenyAuditingCredentialsOnNonRootUserResource" + } + ] + }, + "IsDefaultVersion": true + } +} diff --git a/policies/IAMCreateRootUserPassword b/policies/IAMCreateRootUserPassword new file mode 100644 index 0000000000..b88a213fb5 --- /dev/null +++ b/policies/IAMCreateRootUserPassword @@ -0,0 +1,30 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-06T22:32:59Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "iam:CreateLoginProfile", + "iam:GetLoginProfile" + ], + "Resource": "*", + "Effect": "Deny", + "Sid": "DenyAllOtherActionsOnAnyResource" + }, + { + "Action": [ + "iam:CreateLoginProfile", + "iam:GetLoginProfile" + ], + "NotResource": "arn:aws:iam::*:root", + "Effect": "Deny", + "Sid": "DenyCreatingPasswordOnNonRootUserResource" + } + ] + }, + "IsDefaultVersion": true + } +} diff --git a/policies/IAMDeleteRootUserCredentials b/policies/IAMDeleteRootUserCredentials new file mode 100644 index 0000000000..20ae2ac1d5 --- /dev/null +++ b/policies/IAMDeleteRootUserCredentials @@ -0,0 +1,48 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-06T22:47:58Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "iam:DeleteAccessKey", + "iam:DeleteSigningCertificate", + "iam:DeleteLoginProfile", + "iam:DeactivateMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:ListAccessKeys", + "iam:ListSigningCertificates", + "iam:GetLoginProfile", + "iam:ListMFADevices", + "iam:GetUser", + "iam:GetAccessKeyLastUsed" + ], + "Resource": "*", + "Effect": "Deny", + "Sid": "DenyAllOtherActionsOnAnyResource" + }, + { + "Action": [ + "iam:DeleteAccessKey", + "iam:DeleteSigningCertificate", + "iam:DeleteLoginProfile", + "iam:DeactivateMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:ListAccessKeys", + "iam:ListSigningCertificates", + "iam:GetLoginProfile", + "iam:ListMFADevices", + "iam:GetUser", + "iam:GetAccessKeyLastUsed" + ], + "NotResource": "arn:aws:iam::*:root", + "Effect": "Deny", + "Sid": "DenyDeletingRootUserCredentialsOnNonRootUserResource" + } + ] + }, + "IsDefaultVersion": true + } +} diff --git a/policies/S3UnlockBucketPolicy b/policies/S3UnlockBucketPolicy new file mode 100644 index 0000000000..6d344f09bd --- /dev/null +++ b/policies/S3UnlockBucketPolicy @@ -0,0 +1,39 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-06T21:55:56Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "s3:DeleteBucketPolicy", + "s3:PutBucketPolicy", + "s3:GetBucketPolicy", + "s3:ListAllMyBuckets" + ], + "Resource": "*", + "Effect": "Deny", + "Sid": "DenyAllOtherActionsOnAnyResource" + }, + { + "Action": [ + "s3:DeleteBucketPolicy", + "s3:PutBucketPolicy", + "s3:GetBucketPolicy", + "s3:ListAllMyBuckets" + ], + "Resource": "*", + "Effect": "Deny", + "Condition": { + "StringNotLike": { + "aws:PrincipalArn": "arn:aws:iam::*:root" + } + }, + "Sid": "DenyManagingBucketPolicyForNonRootCallers" + } + ] + }, + "IsDefaultVersion": true + } +} diff --git a/policies/SQSUnlockQueuePolicy b/policies/SQSUnlockQueuePolicy new file mode 100644 index 0000000000..c7cd4583b9 --- /dev/null +++ b/policies/SQSUnlockQueuePolicy @@ -0,0 +1,54 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-06T21:51:02Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": [ + "sqs:SetQueueAttributes", + "sqs:GetQueueAttributes", + "sqs:ListQueues", + "sqs:GetQueueUrl" + ], + "Resource": "*", + "Effect": "Deny", + "Sid": "DenyAllOtherActionsOnAnyResource" + }, + { + "Action": [ + "sqs:GetQueueAttributes" + ], + "Resource": "arn:aws:sqs:*:*:*", + "Effect": "Deny", + "Condition": { + "StringNotEqualsIfExists": { + "aws:ResourceAccount": [ + "${aws:PrincipalAccount}" + ] + } + }, + "Sid": "DenyGettingQueueAttributesOnNonOwnQueue" + }, + { + "Action": [ + "sqs:SetQueueAttributes", + "sqs:GetQueueAttributes", + "sqs:ListQueues", + "sqs:GetQueueUrl" + ], + "Resource": "*", + "Effect": "Deny", + "Condition": { + "StringNotLike": { + "aws:PrincipalArn": "arn:aws:iam::*:root" + } + }, + "Sid": "DenyActionsForNonRootUser" + } + ] + }, + "IsDefaultVersion": true + } +} diff --git a/policies/SecurityLakeResourceManagementServiceRolePolicy b/policies/SecurityLakeResourceManagementServiceRolePolicy new file mode 100644 index 0000000000..32d2aa4781 --- /dev/null +++ b/policies/SecurityLakeResourceManagementServiceRolePolicy @@ -0,0 +1,230 @@ +{ + "PolicyVersion": { + "CreateDate": "2024-11-14T22:10:14Z", + "VersionId": "v1", + "Document": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "events:ListRules" + ], + "Resource": "*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ReadEventBridgeRules" + }, + { + "Action": [ + "events:PutRule" + ], + "Resource": "arn:aws:events:*:*:rule/AmazonSecurityLake-*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ManageSecurityLakeEventRules" + }, + { + "Action": [ + "lambda:GetEventSourceMapping", + "lambda:GetFunction", + "lambda:PutFunctionConcurrency", + "lambda:GetProvisionedConcurrencyConfig", + "lambda:GetFunctionConcurrency", + "lambda:GetRuntimeManagementConfig", + "lambda:PutProvisionedConcurrencyConfig", + "lambda:PublishVersion", + "lambda:DeleteFunctionConcurrency", + "lambda:DeleteEventSourceMapping", + "lambda:GetAlias", + "lambda:GetPolicy", + "lambda:GetFunctionConfiguration", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": [ + "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", + "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ManageSecurityLakeLambdaConfigurations" + }, + { + "Action": [ + "lambda:ListEventSourceMappings" + ], + "Resource": "*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowListLambdaEventSourceMappings" + }, + { + "Action": [ + "lambda:UpdateEventSourceMapping" + ], + "Resource": "*", + "Effect": "Allow", + "Condition": { + "StringLike": { + "lambda:FunctionArn": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" + }, + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowUpdateLambdaEventSourceMapping" + }, + { + "Action": [ + "lambda:UpdateFunctionConfiguration" + ], + "Resource": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowUpdateLambdaConfigs" + }, + { + "Action": [ + "glue:CreatePartition", + "glue:BatchCreatePartition", + "glue:GetTable", + "glue:GetTables", + "glue:UpdateTable", + "glue:GetDatabase" + ], + "Resource": [ + "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", + "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", + "arn:aws:glue:*:*:catalog" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ManageSecurityLakeGlueResources" + }, + { + "Action": [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetObjectAttributes", + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "s3:GetLifecycleConfiguration", + "s3:PutLifecycleConfiguration", + "s3:GetEncryptionConfiguration", + "s3:GetReplicationConfiguration" + ], + "Resource": [ + "arn:aws:s3:::aws-security-data-lake*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowDataLakeConfigurationManagement" + }, + { + "Action": [ + "s3:GetObject", + "s3:DeleteObject", + "s3:RestoreObject" + ], + "Resource": [ + "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", + "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowMetaDataCompactionAndManagement" + }, + { + "Action": [ + "logs:DescribeLogStreams", + "logs:StartQuery", + "logs:GetLogEvents", + "logs:GetQueryResults", + "logs:GetLogRecord" + ], + "Resource": [ + "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLakeMetastoreManager-*-*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ReadSecurityLakeLambdaLogs" + }, + { + "Action": [ + "sqs:StartMessageMoveTask", + "sqs:DeleteMessage", + "sqs:GetQueueUrl", + "sqs:ListDeadLetterSourceQueues", + "sqs:ChangeMessageVisibility", + "sqs:ListMessageMoveTasks", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes" + ], + "Resource": [ + "arn:aws:sqs:*:*:SecurityLake_*", + "arn:aws:sqs:*:*:AmazonSecurityLakeManager-*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "ManageSecurityLakeSQSQueue" + }, + { + "Action": [ + "lakeformation:GetDataLakeSettings", + "lakeformation:ListPermissions" + ], + "Resource": "*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowDataLakeManagement" + } + ] + }, + "IsDefaultVersion": true + } +}