Skip to content

Commit

Permalink
sync changes from panther-labs/panther-enterprise#20860
Browse files Browse the repository at this point in the history
  • Loading branch information
@panther-bot
panther-bot committed Dec 19, 2024
1 parent f3d010c commit 2be94d5
Showing 1 changed file with 29 additions and 4 deletions.
33 changes: 29 additions & 4 deletions cloudformation/panther-deployment-role.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ Resources:
- ec2:DeleteSubnet
- ec2:DeleteTags
- ec2:DeleteVpcEndpoints
- ec2:DisassociateVpcCidrBlock
- ec2:ModifySubnetAttribute
- ec2:ModifyVpcAttribute
- ec2:ModifyVpcEndpoint
Expand Down Expand Up @@ -206,6 +207,26 @@ Resources:
- codebuild:UpdateProject
- codebuild:StartBuild
Resource: !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/panther*
- Sid: PantherRedshiftProvisioning
Effect: Allow
Action:
- redshift-data:ExecuteStatement # used to set up permissions inside databases
- redshift-serverless:CreateNamespace
- redshift-serverless:CreateWorkgroup
- redshift-serverless:DeleteNamespace
- redshift-serverless:DeleteWorkgroup
- redshift-serverless:GetCredentials
- redshift-serverless:UpdateNamespace
- redshift-serverless:UpdateWorkgroup
- redshift-serverless:TagResource
Resource:
- !Sub arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:namespace/*
- !Sub arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*
- Sid: PantherRedshiftProvisioningDescribeStatement
Effect: Allow
Action:
- redshift-data:DescribeStatement # used to set up permissions inside databases
Resource: '*' # this action requires *
- Sid: PantherStateMachine
Effect: Allow
Action:
Expand All @@ -225,6 +246,8 @@ Resources:
Resource:
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/alert-search-rehydrate-api-rehydration-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/analysis-api-schedule-polling-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/compliance-aggregator-refresh-all-delete-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/compliance-aggregator-refresh-all-no-delete-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/detection-processor-poll-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/enrichment-api-prune-generations-cron
- !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/enrichment-api-sync-all-profile-pullers-cron
Expand Down Expand Up @@ -372,13 +395,15 @@ Resources:
- firehose:DeleteDeliveryStream
- firehose:StartDeliveryStreamEncryption
- firehose:TagDeliveryStream
- firehose:UntagDeliveryStream
Resource: !Sub arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/panther-*
- Sid: PantherLambda
Effect: Allow
Action:
- lambda:AddPermission
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:DeleteFunctionEventInvokeConfig
- lambda:DeleteLayerVersion
- lambda:InvokeFunction
- lambda:PublishLayerVersion
Expand Down Expand Up @@ -490,6 +515,7 @@ Resources:
- Sid: PantherManageSecrets
Effect: Allow
Action:
- secretsmanager:CancelRotateSecret
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
- secretsmanager:GetSecretValue
Expand Down Expand Up @@ -552,10 +578,9 @@ Resources:
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DeleteMountTarget
- elasticfilesystem:PutLifecycleConfiguration
Resource: !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/*
Condition:
StringEquals:
aws:ResourceTag/panther:app: panther
Resource:
- !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/*
- !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/*
- Sid: PantherBatch
Effect: Allow
Action:
Expand Down

0 comments on commit 2be94d5

Please sign in to comment.