Revert to more permissive policy (#109)

sysdiglabs · Nov 2, 2023 · 348f8d0 · 348f8d0
1 parent 5a5a0b1
commit 348f8d0
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 32 deletions.
diff --git a/templates_cloudlogs/CloudLogs.yaml b/templates_cloudlogs/CloudLogs.yaml
@@ -14,7 +14,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CloudLogsRoleName:
@@ -25,8 +24,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CloudLogsRoleName:
@@ -41,9 +38,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudLogsRole:
@@ -80,7 +74,7 @@ Resources:
  Action:
  - "s3:List*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
diff --git a/templates_cloudlogs/OrgCloudLogs.yaml b/templates_cloudlogs/OrgCloudLogs.yaml
@@ -16,7 +16,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -29,8 +28,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -48,9 +45,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudLogsRole:
@@ -87,8 +81,8 @@ Resources:
  Action:
  - "s3:List*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
  CloudAgentlessRole:

diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml
@@ -12,7 +12,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -25,8 +24,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -44,9 +41,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudAgentlessRole:
@@ -100,7 +94,7 @@ Resources:
  Action:
  - "s3:List*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml
@@ -13,7 +13,6 @@ Metadata:
  - TrustedIdentity
  - BucketARN
  - OrganizationUnitIDs
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -28,8 +27,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  OrganizationUnitIDs:
  default: "Organization Unit IDs (Sysdig use only)"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -50,9 +47,6 @@ Parameters:
  OrganizationUnitIDs:
  Type: String
  Description: Organization Unit IDs to deploy
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudAgentlessRole:
@@ -105,8 +99,8 @@ Resources:
  Action:
  - "s3:List*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
  RolesStackSet: