Revert to more permissive policy

sysdiglabs · Nov 2, 2023 · f411ab4 · f411ab4
1 parent 8ec33e1
commit f411ab4
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 40 deletions.
diff --git a/templates_cloudlogs/CloudLogs.yaml b/templates_cloudlogs/CloudLogs.yaml
@@ -14,7 +14,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CloudLogsRoleName:
@@ -25,8 +24,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CloudLogsRoleName:
@@ -41,9 +38,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudLogsRole:
@@ -68,19 +62,19 @@ Resources:
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
- - Sid: "CloudlogsS3AccessGet"
+ - Sid: "CloudlogsS3AccessList"
  Effect: "Allow"
  Action:
  - "s3:List*"
  Resource:
  - !Sub '${BucketARN}'
  - !Sub '${BucketARN}/*'
- - Sid: "CloudlogsS3AccessList"
+ - Sid: "CloudlogsS3AccessGet"
  Effect: "Allow"
  Action:
  - "s3:Get*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
diff --git a/templates_cloudlogs/OrgCloudLogs.yaml b/templates_cloudlogs/OrgCloudLogs.yaml
@@ -16,7 +16,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -29,8 +28,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -48,9 +45,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudLogsRole:
@@ -75,20 +69,20 @@ Resources:
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
- - Sid: "CloudlogsS3AccessGet"
+ - Sid: "CloudlogsS3AccessList"
  Effect: "Allow"
  Action:
  - "s3:List*"
  Resource:
  - !Sub '${BucketARN}'
  - !Sub '${BucketARN}/*'
- - Sid: "CloudlogsS3AccessList"
+ - Sid: "CloudlogsS3AccessGet"
  Effect: "Allow"
  Action:
  - "s3:Get*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
  CloudAgentlessRole:

diff --git a/templates_cspm_cloudlogs/FullInstall.yaml b/templates_cspm_cloudlogs/FullInstall.yaml
@@ -12,7 +12,6 @@ Metadata:
  - ExternalID
  - TrustedIdentity
  - BucketARN
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -25,8 +24,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  BucketARN:
  default: "Bucket ARN"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -44,9 +41,6 @@ Parameters:
  BucketARN:
  Type: String
  Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudAgentlessRole:
@@ -88,19 +82,19 @@ Resources:
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
- - Sid: "CloudlogsS3AccessGet"
+ - Sid: "CloudlogsS3AccessList"
  Effect: "Allow"
  Action:
  - "s3:List*"
  Resource:
  - !Sub '${BucketARN}'
  - !Sub '${BucketARN}/*'
- - Sid: "CloudlogsS3AccessList"
+ - Sid: "CloudlogsS3AccessGet"
  Effect: "Allow"
  Action:
  - "s3:Get*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml
@@ -13,7 +13,6 @@ Metadata:
  - TrustedIdentity
  - BucketARN
  - OrganizationUnitIDs
- - AccountID
 
  ParameterLabels:
  CSPMRoleName:
@@ -28,8 +27,6 @@ Metadata:
  default: "Trusted Identity (Sysdig use only)"
  OrganizationUnitIDs:
  default: "Organization Unit IDs (Sysdig use only)"
- AccountID:
- default: "Account ID"
 
 Parameters:
  CSPMRoleName:
@@ -50,9 +47,6 @@ Parameters:
  OrganizationUnitIDs:
  Type: String
  Description: Organization Unit IDs to deploy
- AccountID:
- Type: String
- Description: The Identifier of your AWS account.
 
 Resources:
  CloudAgentlessRole:
@@ -93,20 +87,20 @@ Resources:
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
- - Sid: "CloudlogsS3AccessGet"
+ - Sid: "CloudlogsS3AccessList"
  Effect: "Allow"
  Action:
  - "s3:List*"
  Resource:
  - !Sub '${BucketARN}'
  - !Sub '${BucketARN}/*'
- - Sid: "CloudlogsS3AccessList"
+ - Sid: "CloudlogsS3AccessGet"
  Effect: "Allow"
  Action:
  - "s3:Get*"
  Resource:
- - !Sub '${BucketARN}/AWSLogs/${AccountID}'
- - !Sub '${BucketARN}/AWSLogs/${AccountID}/*'
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
  Roles:
  - Ref: "CloudLogsRole"
  RolesStackSet: