Fix: AWS Unused IP Permissions (#1570)

* fix: AWS Old Snapshots permissions * docs: add `cloudtrail:LookupEvents` --------- Co-authored-by: Bryan Karaffa <[email protected]>
flexera-public · Nov 2, 2023 · df617f7 · df617f7
1 parent 0bc16ba
commit df617f7
Show file tree

Hide file tree

Showing 3 changed files with 939 additions and 1 deletion.
diff --git a/cost/aws/old_snapshots/README.md b/cost/aws/old_snapshots/README.md
@@ -58,6 +58,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
   - `rds:DeleteDBClusterSnapshot`*
   - `rds:DeleteDBSnapshot`*
   - `sts:GetCallerIdentity`
+  - `cloudtrail:LookupEvents`
 
   \* Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions.
 
@@ -81,7 +82,8 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
                   "rds:DescribeDBClusterSnapshots",
                   "rds:DeleteDBSnapshot",
                   "rds:DeleteDBClusterSnapshot",
-                  "sts:GetCallerIdentity"
+                  "sts:GetCallerIdentity",
+                  "cloudtrail:LookupEvents"
               ],
               "Resource": "*"
           }

diff --git a/tools/cloudformation-template/FlexeraAutomationPolicies.template b/tools/cloudformation-template/FlexeraAutomationPolicies.template
@@ -403,6 +403,7 @@ Mappings:
         - "ec2:DescribeRegions"
         - "ec2:DescribeImages"
         - "ec2:DescribeSnapshots"
+        - "cloudtrail:LookupEvents"
         - "rds:DescribeDBInstances"
         - "rds:DescribeDBSnapshots"
         - "rds:DescribeDBClusters"