Merge branch 'master' of github-xomniverse:flexera-public/policy_temp…

…lates

.github/workflows/generate-aws-cloudformation-template.yaml

@@ -0,0 +1,45 @@
+name: Generate Meta Parent Policy Templates
+
+on:
+  # Trigger this workflow on pushes to master
+  push:
+    branches:
+      - master
+
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch:
+    branches:
+      - master
+
+jobs:
+  meta-parent-policy-templates:
+    name: "Generate AWS CloudFormation Template"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Speed up checkout by not fetching history
+
+      - uses: ruby/setup-ruby@v1
+
+      - name: Generate AWS CloudFormation Template
+        working-directory: tools/cloudformation-template
+        run: |
+          ruby aws_cft_generator.rb
+
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          commit-message: "Update AWS CloudFormation Template"
+          title: "Update AWS CloudFormation Template"
+          body: "Update AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/update-aws-cloudformation-template"
+          delete-branch: true
+          labels: "automation"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

.spellignore

@@ -585,6 +585,9 @@ FSM
 ByteCount
 PacketCount
 balancers
+OUs
+README
+readme
 backfill
 FNMS
 CBI

compliance/aws/untagged_resources/README.md

@@ -52,7 +52,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
   - `ec2:DescribeRegions`
   - `tag:GetResources`
   - `tag:TagResources`*
-  - `organizations:TagResources`*
+  - `organizations:TagResource`*
 
   \* Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions.
 
@@ -69,7 +69,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
                   "ec2:DescribeRegions",
                   "tag:GetResources",
                   "tag:TagResources",
-                  "organizations:TagResources"
+                  "organizations:TagResource"
               ],
               "Resource": "*"
           }

cost/aws/s3_storage_policy/README.md

@@ -36,7 +36,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
   - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
-  - `s3:GetBucketIntelligentTieringConfiguration`
+  - `s3:GetIntelligentTieringConfiguration`
   - `sts:GetCallerIdentity`
 
   Example IAM Permission Policy:
@@ -51,7 +51,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
                   "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
-                  "s3:GetBucketIntelligentTieringConfiguration",
+                  "s3:GetIntelligentTieringConfiguration",
                   "sts:GetCallerIdentity"
               ],
               "Resource": "*"

data/policy_permissions_list/master_policy_permissions_list.json

@@ -677,7 +677,7 @@
               "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions."
             },
             {
-              "name": "organizations:TagResources",
+              "name": "organizations:TagResource",
               "read_only": false,
               "required": false,
               "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions."
@@ -2642,7 +2642,7 @@
               "required": true
             },
             {
-              "name": "s3:GetBucketIntelligentTieringConfiguration",
+              "name": "s3:GetIntelligentTieringConfiguration",
               "read_only": true,
               "required": true
             },
@@ -8705,7 +8705,7 @@
               "required": true
             },
             {
-              "name": "s3:ListBuckets",
+              "name": "s3:ListAllMyBuckets",
               "read_only": true,
               "required": true
             },
@@ -8752,7 +8752,7 @@
               "required": true
             },
             {
-              "name": "s3:ListBuckets",
+              "name": "s3:ListAllMyBuckets",
               "read_only": true,
               "required": true
             },
@@ -8805,7 +8805,7 @@
               "required": true
             },
             {
-              "name": "s3:ListBuckets",
+              "name": "s3:ListAllMyBuckets",
               "read_only": true,
               "required": true
             },
@@ -8820,7 +8820,7 @@
               "required": true
             },
             {
-              "name": "s3:GetPublicAccessBlock",
+              "name": "s3:GetBucketPublicAccessBlock",
               "read_only": true,
               "required": true
             }
@@ -8852,7 +8852,7 @@
               "required": true
             },
             {
-              "name": "s3:ListBuckets",
+              "name": "s3:ListAllMyBuckets",
               "read_only": true,
               "required": true
             },
@@ -8899,7 +8899,7 @@
               "required": true
             },
             {
-              "name": "s3:ListBuckets",
+              "name": "s3:ListAllMyBuckets",
               "read_only": true,
               "required": true
             },
@@ -8914,12 +8914,12 @@
               "required": true
             },
             {
-              "name": "s3:GetBucketEncryption",
+              "name": "s3:GetEncryptionConfiguration",
               "read_only": true,
               "required": true
             },
             {
-              "name": "s3:PutBucketEncryption",
+              "name": "s3:PutEncryptionConfiguration",
               "read_only": false,
               "required": false,
               "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."

data/policy_permissions_list/master_policy_permissions_list.yaml

@@ -382,7 +382,7 @@
       required: false
       description: Only required for taking action (adding tags); the policy will
         still function in a read-only capacity without these permissions.
-    - name: organizations:TagResources
+    - name: organizations:TagResource
       read_only: false
       required: false
       description: Only required for taking action (adding tags); the policy will
@@ -1518,7 +1518,7 @@
     - name: s3:GetBucketTagging
       read_only: true
       required: true
-    - name: s3:GetBucketIntelligentTieringConfiguration
+    - name: s3:GetIntelligentTieringConfiguration
       read_only: true
       required: true
     - name: sts:GetCallerIdentity
@@ -4991,7 +4991,7 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: s3:ListBuckets
+    - name: s3:ListAllMyBuckets
       read_only: true
       required: true
     - name: s3:GetBucketLocation
@@ -5017,7 +5017,7 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: s3:ListBuckets
+    - name: s3:ListAllMyBuckets
       read_only: true
       required: true
     - name: s3:GetBucketLocation
@@ -5048,7 +5048,7 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: s3:ListBuckets
+    - name: s3:ListAllMyBuckets
       read_only: true
       required: true
     - name: s3:GetBucketLocation
@@ -5057,7 +5057,7 @@
     - name: s3:GetBucketTagging
       read_only: true
       required: true
-    - name: s3:GetPublicAccessBlock
+    - name: s3:GetBucketPublicAccessBlock
       read_only: true
       required: true
   - :name: flexera
@@ -5074,7 +5074,7 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: s3:ListBuckets
+    - name: s3:ListAllMyBuckets
       read_only: true
       required: true
     - name: s3:GetBucketLocation
@@ -5100,7 +5100,7 @@
     - name: sts:GetCallerIdentity
       read_only: true
       required: true
-    - name: s3:ListBuckets
+    - name: s3:ListAllMyBuckets
       read_only: true
       required: true
     - name: s3:GetBucketLocation
@@ -5109,10 +5109,10 @@
     - name: s3:GetBucketTagging
       read_only: true
       required: true
-    - name: s3:GetBucketEncryption
+    - name: s3:GetEncryptionConfiguration
       read_only: true
       required: true
-    - name: s3:PutBucketEncryption
+    - name: s3:PutEncryptionConfiguration
       read_only: false
       required: false
       description: Only required for taking action; the policy will still function

security/aws/s3_buckets_deny_http/README.md

@@ -40,7 +40,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `s3:ListBuckets`
+  - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
   - `s3:GetBucketPolicy`
@@ -55,7 +55,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "s3:ListBuckets",
+                  "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
                   "s3:GetBucketPolicy"

security/aws/s3_buckets_without_server_access_logging/README.md

@@ -30,7 +30,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `s3:ListBuckets`
+  - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
   - `s3:GetBucketLogging`
@@ -48,7 +48,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "s3:ListBuckets",
+                  "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
                   "s3:GetBucketLogging",

security/aws/s3_ensure_buckets_block_public_access/README.md

@@ -40,10 +40,10 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `s3:ListBuckets`
+  - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
-  - `s3:GetPublicAccessBlock`
+  - `s3:GetBucketPublicAccessBlock`
 
   Example IAM Permission Policy:
 
@@ -55,10 +55,10 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "s3:ListBuckets",
+                  "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
-                  "s3:GetPublicAccessBlock"
+                  "s3:GetBucketPublicAccessBlock"
               ],
               "Resource": "*"
           }

security/aws/s3_ensure_mfa_delete_enabled/README.md

@@ -31,7 +31,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `s3:ListBuckets`
+  - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
   - `s3:GetBucketVersioning`
@@ -46,7 +46,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "s3:ListBuckets",
+                  "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
                   "s3:GetBucketVersioning"

security/aws/unencrypted_s3_buckets/README.md

@@ -31,11 +31,11 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
 
 - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
   - `sts:GetCallerIdentity`
-  - `s3:ListBuckets`
+  - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
-  - `s3:GetBucketEncryption`
-  - `s3:PutBucketEncryption`*
+  - `s3:GetEncryptionConfiguration`
+  - `s3:PutEncryptionConfiguration`*
   - `s3:DeleteBucket`*
 
   \* Only required for taking action; the policy will still function in a read-only capacity without these permissions.
@@ -50,11 +50,11 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
-                  "s3:ListBuckets",
+                  "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
-                  "s3:GetBucketEncryption",
-                  "s3:PutBucketEncryption",
+                  "s3:GetEncryptionConfiguration",
+                  "s3:PutEncryptionConfiguration",
                   "s3:DeleteBucket"
               ],
               "Resource": "*"