Skip to content

Commit 6b01556

Browse files
cyphronixcyphronix
committed
least privilege lambda execution role
1 parent 3fec5a1 commit 6b01556

File tree

1 file changed

+23
-25
lines changed

1 file changed

+23
-25
lines changed

aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml

Lines changed: 23 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -76,16 +76,17 @@ Parameters:
7676
Default: 'liamschn+bedrockalarm@amazon.com'
7777

7878
pSRAStagingS3BucketName:
79-
# AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)'
80-
ConstraintDescription:
81-
SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
8279
Description:
83-
SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include
84-
numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
85-
# Type: String
80+
SRA Staging S3 bucket name for the artifacts relevant to solution.
8681
Type: AWS::SSM::Parameter::Value<String>
8782
Default: /sra/staging-s3-bucket-name
8883

84+
pSecurityAccount:
85+
Description:
86+
The security tooling account Id.
87+
Type: AWS::SSM::Parameter::Value<String>
88+
Default: /sra/control-tower/audit-account-id
89+
8990
pBedrockOrgLambdaRoleName:
9091
AllowedPattern: '^[\w+=,.@-]{1,64}$'
9192
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
@@ -429,7 +430,8 @@ Resources:
429430
- 'dynamodb:DescribeTable'
430431
- 'dynamodb:CreateTable'
431432
- 'dynamodb:TagResource'
432-
Resource: '*'
433+
Resource:
434+
- !Sub 'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${pSecurityAccount}:table/*'
433435
PolicyName: !Sub '${pSRASolutionName}-dynamodb-policy'
434436
- PolicyDocument:
435437
Version: '2012-10-17'
@@ -493,9 +495,7 @@ Resources:
493495
- 'logs:Link'
494496
Resource:
495497
- !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:*'
496-
- !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:*'
497-
# - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:sra-bedrock-filter-service-changes'
498-
# - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:metric-filter:sra-bedrock-filter-bucket-changes'
498+
- !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*'
499499
PolicyName: !Sub '${pSRASolutionName}-logs-policy'
500500
- PolicyDocument:
501501
Version: '2012-10-17'
@@ -507,10 +507,7 @@ Resources:
507507
- 'cloudwatch:DeleteAlarms'
508508
- 'cloudwatch:TagResource'
509509
- 'cloudwatch:Link'
510-
Resource: '*'
511-
# - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*'
512-
# - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:sra-bedrock-filter-service-changes-alarm'
513-
# - !Sub 'arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:sra-bedrock-filter-bucket-changes-alarm'
510+
Resource: '*' # required for cloudwatchLink action
514511
PolicyName: !Sub '${pSRASolutionName}-cloudwatch-policy'
515512
- PolicyDocument:
516513
Version: '2012-10-17'
@@ -524,22 +521,23 @@ Resources:
524521
Resource:
525522
- !Sub 'arn:${AWS::Partition}:oam:${AWS::Region}:${AWS::AccountId}:link/*'
526523
- !Sub 'arn:${AWS::Partition}:oam:${AWS::Region}:${AWS::AccountId}:/ListLinks*'
524+
- !Sub 'arn:${AWS::Partition}:oam:${AWS::Region}:*:sink/*' # sink on security account
527525
PolicyName: !Sub '${pSRASolutionName}-oam-policy'
528526
- PolicyDocument:
529527
Version: '2012-10-17'
530528
Statement:
531529
- Effect: Allow
532530
Action:
533531
- 'xray:Link'
534-
Resource: '*'
532+
Resource: '*' # required for xrayLink action
535533
PolicyName: !Sub '${pSRASolutionName}-xray-policy'
536534
- PolicyDocument:
537535
Version: '2012-10-17'
538536
Statement:
539537
- Effect: Allow
540538
Action:
541539
- 'organizations:DescribeOrganization'
542-
Resource: '*'
540+
Resource: '*' # required for organizationsDescribeOrganization action
543541
PolicyName: !Sub '${pSRASolutionName}-organizations-policy'
544542
- PolicyDocument:
545543
Version: '2012-10-17'
@@ -563,7 +561,8 @@ Resources:
563561
- Effect: Allow
564562
Action:
565563
- 'ssm:GetParameter'
566-
Resource: '*'
564+
Resource:
565+
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra/*'
567566
PolicyName: !Sub '${pSRASolutionName}-ssm-policy'
568567
- PolicyDocument:
569568
Version: '2012-10-17'
@@ -572,7 +571,7 @@ Resources:
572571
Action:
573572
- 'sts:AssumeRole'
574573
- 'sts:GetCallerIdentity'
575-
Resource: '*'
574+
Resource: '*' # required for stsGetCallerIdentity action
576575
PolicyName: !Sub '${pSRASolutionName}-sts-policy'
577576
- PolicyDocument:
578577
Version: '2012-10-17'
@@ -582,34 +581,33 @@ Resources:
582581
- 's3:GetObject'
583582
- 's3:HeadObject'
584583
- 's3:PutObject'
585-
Resource: '*'
584+
Resource:
585+
- !Sub 'arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketName}/*'
586586
PolicyName: !Sub '${pSRASolutionName}-s3-policy'
587587
- PolicyDocument:
588588
Version: '2012-10-17'
589589
Statement:
590590
- Effect: Allow
591591
Action:
592592
- 'applicationinsights:Link'
593-
Resource: '*'
594-
# applicationinsights:Link on resource: arn:aws:applicationinsights:<HOME REGION>:<MGMT ACCT>:application/*
593+
Resource:
594+
- !Sub 'arn:${AWS::Partition}:applicationinsights:${AWS::Region}:${AWS::AccountId}:application/*'
595595
PolicyName: !Sub '${pSRASolutionName}-appinsights-policy'
596596
- PolicyDocument:
597597
Version: '2012-10-17'
598598
Statement:
599599
- Effect: Allow
600600
Action:
601601
- 'internetmonitor:Link'
602-
Resource: '*'
603-
# internetmonitor:Link on resource: arn:aws:internetmonitor:<HOME REGION>:<MGMT ACCT>:monitor/*
602+
Resource:
603+
- !Sub 'arn:${AWS::Partition}:internetmonitor:${AWS::Region}:${AWS::AccountId}:monitor/*'
604604
PolicyName: !Sub '${pSRASolutionName}-internetmonitor-policy'
605605

606606
Tags:
607607
- Key: sra-solution
608608
Value: !Ref pSRASolutionName
609609
ManagedPolicyArns:
610610
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
611-
# TODO(liamschn): least privilege policies need to be created for this lambda role (in progress)
612-
# - arn:aws:iam::aws:policy/AdministratorAccess
613611

614612
rBedrockOrgLambdaFunction:
615613
Type: AWS::Lambda::Function

0 commit comments

Comments
 (0)