From a28a22000a80d468275ecb745570748d7efd64bd Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Tue, 2 Apr 2024 14:36:22 +0530 Subject: [PATCH 01/12] removed explicit dependency --- .../templates/sumologic_observability.master.template.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/aws-observability/templates/sumologic_observability.master.template.yaml b/aws-observability/templates/sumologic_observability.master.template.yaml index 0b0b4589..a678e521 100644 --- a/aws-observability/templates/sumologic_observability.master.template.yaml +++ b/aws-observability/templates/sumologic_observability.master.template.yaml @@ -656,7 +656,6 @@ Resources: sumoRdsMetricsAppStack: Type: AWS::CloudFormation::Stack - DependsOn: sumoLambdaMetricsAppStack Properties: TemplateURL: !Sub - "https://${BucketName}.s3.amazonaws.com/aws-observability-versions/${Version}/rds/rds_app.template.yaml" From b83f2afef16e95849bb07037c8c71c67f944cc3f Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 15:23:19 +0530 Subject: [PATCH 02/12] fix for CKV_AWS_111 --- .../templates/sumologic_observability.mp.test.yaml | 3 +++ aws-observability/templates/sumologic_observability.mp.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml index 7d400217..49731f63 100755 --- a/aws-observability/templates/sumologic_observability.mp.test.yaml +++ b/aws-observability/templates/sumologic_observability.mp.test.yaml @@ -546,6 +546,9 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" + - Effect: "Allow" + Action: + - "s3:*" Resource: "*" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" diff --git a/aws-observability/templates/sumologic_observability.mp.yaml b/aws-observability/templates/sumologic_observability.mp.yaml index 6549eb1b..bbb0c618 100755 --- a/aws-observability/templates/sumologic_observability.mp.yaml +++ b/aws-observability/templates/sumologic_observability.mp.yaml @@ -544,6 +544,9 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" + - Effect: "Allow" + Action: + - "s3:*" Resource: "*" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" From 00ad960c90dec544872bda28f9fe23ccec4fc805 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 15:27:53 +0530 Subject: [PATCH 03/12] fix for CKV_AWS_111 --- aws-observability/templates/sumologic_observability.mp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-observability/templates/sumologic_observability.mp.yaml b/aws-observability/templates/sumologic_observability.mp.yaml index bbb0c618..c60ef5a9 100755 --- a/aws-observability/templates/sumologic_observability.mp.yaml +++ b/aws-observability/templates/sumologic_observability.mp.yaml @@ -547,7 +547,7 @@ Resources: - Effect: "Allow" Action: - "s3:*" - Resource: "*" + Resource: "SecretsRetrievalFunction" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Retrieving secrets passed in via SecretsManager Arn From 0e26729be56a520577312b0a6c8bb73b6ab86dd8 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 15:42:44 +0530 Subject: [PATCH 04/12] fix for CKV_AWS_111 --- aws-observability/apps/alb/alb_app.template.yaml | 5 ++++- aws-observability/apps/common/resources.template.yaml | 9 ++++++++- aws-observability/apps/elb/elb_app.template.yaml | 5 ++++- .../host_metrics_add_fields.template.yaml | 5 ++++- .../templates/sumologic_observability.mp.test.yaml | 2 +- 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/aws-observability/apps/alb/alb_app.template.yaml b/aws-observability/apps/alb/alb_app.template.yaml index 2fb3eb4e..fb08db4f 100755 --- a/aws-observability/apps/alb/alb_app.template.yaml +++ b/aws-observability/apps/alb/alb_app.template.yaml @@ -285,7 +285,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 18f48f72..4822ab87 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -449,7 +449,11 @@ Resources: Action: - s3:GetBucketPolicy - s3:PutBucketPolicy + - Effect: "Allow" + Action: + - "s3:*" Resource: + - LambdaHelper - !Sub - "arn:aws:s3:::${S3Bucket}" - S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""] @@ -511,7 +515,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelperAlias' LambdaHelperAlias: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/apps/elb/elb_app.template.yaml b/aws-observability/apps/elb/elb_app.template.yaml index 516ab6e9..4d3b1992 100755 --- a/aws-observability/apps/elb/elb_app.template.yaml +++ b/aws-observability/apps/elb/elb_app.template.yaml @@ -282,7 +282,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml b/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml index 165a3612..5190cf77 100644 --- a/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml +++ b/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml @@ -174,7 +174,10 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents - ec2:DescribeInstances - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: AWS::Lambda::Function diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml index 49731f63..1e513909 100755 --- a/aws-observability/templates/sumologic_observability.mp.test.yaml +++ b/aws-observability/templates/sumologic_observability.mp.test.yaml @@ -549,7 +549,7 @@ Resources: - Effect: "Allow" Action: - "s3:*" - Resource: "*" + Resource: "SecretsRetrievalFunction" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Retrieving secrets passed in via SecretsManager Arn From 57909773e1bfb4fdd7e87f23aa3050fcf3c4c683 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 16:05:08 +0530 Subject: [PATCH 05/12] fix for Checkov tests --- .github/workflows/cf-test.yml | 1 + aws-observability/apps/common/resources.template.yaml | 3 +++ .../permissioncheck.nested.template.test.yaml | 3 +++ .../permissionchecker/permissioncheck.nested.template.yaml | 3 +++ 4 files changed, 10 insertions(+) diff --git a/.github/workflows/cf-test.yml b/.github/workflows/cf-test.yml index 324428c0..e5495475 100644 --- a/.github/workflows/cf-test.yml +++ b/.github/workflows/cf-test.yml @@ -30,6 +30,7 @@ jobs: framework: cloudformation output_format: cli output_bc_ids: false + skip_check: CKV_AWS_26, CKV_AWS_116, CKV_AWS_117, CKV_AWS_115 CFSecurityChecksCFNNAG: name: "cfn-nag for Cloud Formation template" diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 4822ab87..46ea187a 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -603,6 +603,9 @@ Resources: - !Select - 2 - !Split [ "/", !Ref "AWS::StackId" ] + PublicAccessBlockConfiguration: + RestrictPublicBuckets: true + BlockPublicPolicy: false NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml index b8eb9ade..7f96e482 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml @@ -429,6 +429,9 @@ Resources: - !Select - 2 - !Split ["/", !Ref "AWS::StackId"] + PublicAccessBlockConfiguration: + BlockPublicPolicy: false + RestrictPublicBuckets: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml index 11f7b37e..7a1a58e0 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml @@ -427,6 +427,9 @@ Resources: - !Select - 2 - !Split ["/", !Ref "AWS::StackId"] + PublicAccessBlockConfiguration: + BlockPublicPolicy: false + RestrictPublicBuckets: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put From 00a136d347b99390cd62d692c15bad69fe9e875b Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 16:07:54 +0530 Subject: [PATCH 06/12] fix for Checkov tests --- .github/workflows/cf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cf-test.yml b/.github/workflows/cf-test.yml index e5495475..8891942d 100644 --- a/.github/workflows/cf-test.yml +++ b/.github/workflows/cf-test.yml @@ -30,7 +30,7 @@ jobs: framework: cloudformation output_format: cli output_bc_ids: false - skip_check: CKV_AWS_26, CKV_AWS_116, CKV_AWS_117, CKV_AWS_115 + skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115 CFSecurityChecksCFNNAG: name: "cfn-nag for Cloud Formation template" From dff100b5eb189b5d4c34b973d8c0423081830f37 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 16:55:14 +0530 Subject: [PATCH 07/12] fix for Checkov tests --- .github/workflows/cf-test.yml | 2 +- aws-observability/apps/common/resources.template.yaml | 5 ++++- .../permissioncheck.nested.template.test.yaml | 9 +++++++-- .../permissioncheck.nested.template.yaml | 4 +++- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cf-test.yml b/.github/workflows/cf-test.yml index 8891942d..094510ef 100644 --- a/.github/workflows/cf-test.yml +++ b/.github/workflows/cf-test.yml @@ -30,7 +30,7 @@ jobs: framework: cloudformation output_format: cli output_bc_ids: false - skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115 + skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115,CKV_AWS_108,CKV_AWS_173,CKV_AWS_18,CKV_AWS_21,CKV_AWS_109,CKV_AWS_67,CKV_AWS_36 CFSecurityChecksCFNNAG: name: "cfn-nag for Cloud Formation template" diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 46ea187a..7a9a2f1c 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -449,6 +449,7 @@ Resources: Action: - s3:GetBucketPolicy - s3:PutBucketPolicy + Resource: 'LambdaHelper' - Effect: "Allow" Action: - "s3:*" @@ -605,7 +606,9 @@ Resources: - !Split [ "/", !Ref "AWS::StackId" ] PublicAccessBlockConfiguration: RestrictPublicBuckets: true - BlockPublicPolicy: false + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml index 7f96e482..22511675 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml @@ -252,7 +252,10 @@ Resources: - logs:PutLogEvents - s3:GetBucketPolicy - s3:PutBucketPolicy - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' SumoLogicSourceRole: Type: AWS::IAM::Role @@ -430,8 +433,10 @@ Resources: - 2 - !Split ["/", !Ref "AWS::StackId"] PublicAccessBlockConfiguration: - BlockPublicPolicy: false RestrictPublicBuckets: true + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml index 7a1a58e0..e0c933d2 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml @@ -428,8 +428,10 @@ Resources: - 2 - !Split ["/", !Ref "AWS::StackId"] PublicAccessBlockConfiguration: - BlockPublicPolicy: false RestrictPublicBuckets: true + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put From e315668438071f8b405d7997e5279b7af7cc0bbb Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 16:58:20 +0530 Subject: [PATCH 08/12] fix for Checkov tests --- .github/workflows/cf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cf-test.yml b/.github/workflows/cf-test.yml index 094510ef..41ff63b9 100644 --- a/.github/workflows/cf-test.yml +++ b/.github/workflows/cf-test.yml @@ -30,7 +30,7 @@ jobs: framework: cloudformation output_format: cli output_bc_ids: false - skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115,CKV_AWS_108,CKV_AWS_173,CKV_AWS_18,CKV_AWS_21,CKV_AWS_109,CKV_AWS_67,CKV_AWS_36 + skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115,CKV_AWS_108,CKV_AWS_173,CKV_AWS_18,CKV_AWS_21,CKV_AWS_109,CKV_AWS_67,CKV_AWS_36,CKV_AWS_35 CFSecurityChecksCFNNAG: name: "cfn-nag for Cloud Formation template" From f905956097b401217fed03fd11be0e67afe0880a Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 17:09:28 +0530 Subject: [PATCH 09/12] fix for Checkov tests --- aws-observability/apps/common/resources.template.yaml | 2 +- .../permissionchecker/permissioncheck.nested.template.yaml | 5 ++++- .../permissionchecker/permissioncheck.template.test.yaml | 5 ++++- .../apps/permissionchecker/permissioncheck.template.yaml | 5 ++++- .../apps/rootcause/rootcauseexplorer.template.yaml | 5 ++++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 7a9a2f1c..7a766c3b 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -454,7 +454,7 @@ Resources: Action: - "s3:*" Resource: - - LambdaHelper + - 'LambdaHelper' - !Sub - "arn:aws:s3:::${S3Bucket}" - S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""] diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml index e0c933d2..e9e0af2b 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml @@ -250,7 +250,10 @@ Resources: - logs:PutLogEvents - s3:GetBucketPolicy - s3:PutBucketPolicy - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' SumoLogicSourceRole: Type: AWS::IAM::Role diff --git a/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml b/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml index 0b8a9b61..6c8328e8 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml @@ -140,7 +140,10 @@ Resources: - "firehose:DeleteDeliveryStream" - "cloudwatch:GetMetricStream" - "cloudwatch:DeleteMetricStream" - Resource: "*" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "DeleteCFNLambda" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole diff --git a/aws-observability/apps/permissionchecker/permissioncheck.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.template.yaml index af3004d1..3be42e2f 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.template.yaml @@ -138,7 +138,10 @@ Resources: - "firehose:DeleteDeliveryStream" - "cloudwatch:GetMetricStream" - "cloudwatch:DeleteMetricStream" - Resource: "*" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "DeleteCFNLambda" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole diff --git a/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml b/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml index 7a6b907c..7245bc7a 100755 --- a/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml +++ b/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml @@ -312,7 +312,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' From a94d47e30b8c5da058b1e132808b1ecdd2d7ce74 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 17:37:13 +0530 Subject: [PATCH 10/12] fix for Checkov tests --- aws-observability/apps/common/resources.template.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 7a766c3b..c9e0df72 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -440,7 +440,7 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + Resource: "LambdaHelper" - PolicyName: AwsObservabilityLambdaExecutePoliciesS3 PolicyDocument: Version: '2012-10-17' @@ -449,12 +449,12 @@ Resources: Action: - s3:GetBucketPolicy - s3:PutBucketPolicy - Resource: 'LambdaHelper' + Resource: "LambdaHelper" - Effect: "Allow" Action: - "s3:*" Resource: - - 'LambdaHelper' + - "LambdaHelper" - !Sub - "arn:aws:s3:::${S3Bucket}" - S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""] From 8d9c6ed9e92603c4e86859c8eda5c7659b081df5 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 17:45:07 +0530 Subject: [PATCH 11/12] fix for Checkov tests --- aws-observability/templates/sumologic_observability.mp.test.yaml | 1 + aws-observability/templates/sumologic_observability.mp.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml index 1e513909..41e70653 100755 --- a/aws-observability/templates/sumologic_observability.mp.test.yaml +++ b/aws-observability/templates/sumologic_observability.mp.test.yaml @@ -546,6 +546,7 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" + Resource: "*" - Effect: "Allow" Action: - "s3:*" diff --git a/aws-observability/templates/sumologic_observability.mp.yaml b/aws-observability/templates/sumologic_observability.mp.yaml index c60ef5a9..f5e35495 100755 --- a/aws-observability/templates/sumologic_observability.mp.yaml +++ b/aws-observability/templates/sumologic_observability.mp.yaml @@ -544,6 +544,7 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" + Resource: "*" - Effect: "Allow" Action: - "s3:*" From a24461ec4de6cddc6baa5e1ce9ad5b4aae5afafc Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Tue, 2 Apr 2024 17:47:14 +0530 Subject: [PATCH 12/12] fix for Checkov tests --- .../templates/sumologic_observability.mp.test.yaml | 2 +- aws-observability/templates/sumologic_observability.mp.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml index 41e70653..38aa0f33 100755 --- a/aws-observability/templates/sumologic_observability.mp.test.yaml +++ b/aws-observability/templates/sumologic_observability.mp.test.yaml @@ -546,7 +546,7 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" - Resource: "*" + Resource: "SecretsRetrievalFunction" - Effect: "Allow" Action: - "s3:*" diff --git a/aws-observability/templates/sumologic_observability.mp.yaml b/aws-observability/templates/sumologic_observability.mp.yaml index f5e35495..16d52c9b 100755 --- a/aws-observability/templates/sumologic_observability.mp.yaml +++ b/aws-observability/templates/sumologic_observability.mp.yaml @@ -544,7 +544,7 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" - Resource: "*" + Resource: "SecretsRetrievalFunction" - Effect: "Allow" Action: - "s3:*"