From a386c510139339b1f0158093e93803682e6ca14e Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 19:09:36 +0000 Subject: [PATCH 1/3] Small fixes for the AWS Backup EC2/EBS RP scan permission boundary --- codegen/src/policies/ElastioAwsBackupEc2Scan.ts | 7 ++++--- iam-policies/terraform/README.md | 2 +- .../terraform/policies/ElastioAwsBackupEc2Scan.json | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts index af8fa08..eb09509 100644 --- a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts +++ b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts @@ -1,7 +1,7 @@ import * as iam from "../iam"; export default { - description: "Allows Elastio to scan AWS Backup recovery points.", + description: "Allows Elastio to scan AWS Backup EC2 recovery points.", statements: [ { @@ -41,7 +41,7 @@ export default { // Common for all resources "ec2:DescribeTags", - // Used for cost estimation + // Used for cost estimation and scanning itself "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", ], @@ -70,7 +70,7 @@ export default { Action: ["ec2:ModifySnapshotAttribute"], Resource: "*", Condition: { - // Needed to add createVolumePermission for the sharing the snapshot + // Needed to add createVolumePermission for sharing the snapshot // with the connector account. StringLike: { "ec2:Add/userId": "*", @@ -78,6 +78,7 @@ export default { }, }, + // Required for encrypted backups { Sid: "KmsAccess", diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md index e6f7954..d0a3a09 100644 --- a/iam-policies/terraform/README.md +++ b/iam-policies/terraform/README.md @@ -30,7 +30,7 @@ See the basic [usage example](./examples/basic/main.tf). | Policy | Description | | ------------------------------------------------------------ | -------------------------------------------------------------- | | [`ElastioAssetAccountDeployer`][ElastioAssetAccountDeployer] | Permissions required to deploy the Elastio Asset Account stack | -| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan] | Allows Elastio to scan AWS Backup recovery points. | +| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan] | Allows Elastio to scan AWS Backup EC2 recovery points. | [ElastioAssetAccountDeployer]: ../../codegen/src/policies/ElastioAssetAccountDeployer.ts [ElastioAwsBackupEc2Scan]: ../../codegen/src/policies/ElastioAwsBackupEc2Scan.ts diff --git a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json index dc8cf7c..f627d40 100644 --- a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json +++ b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json @@ -1,5 +1,5 @@ { - "Description": "Allows Elastio to scan AWS Backup recovery points.", + "Description": "Allows Elastio to scan AWS Backup EC2 recovery points.", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ From afd6763e90a63899d6ff81a9ea01f3d2dad16a45 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 19:11:18 +0000 Subject: [PATCH 2/3] Bump version --- iam-policies/terraform/.module.toml | 2 +- iam-policies/terraform/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/iam-policies/terraform/.module.toml b/iam-policies/terraform/.module.toml index 74d735b..712a26b 100644 --- a/iam-policies/terraform/.module.toml +++ b/iam-policies/terraform/.module.toml @@ -2,4 +2,4 @@ name = "aws-elastio-iam-policies" description = "A collection of AWS IAM policies for use with Elastio" type = "terraform" -version = "0.33.0" +version = "0.33.1" diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md index d0a3a09..d5951af 100644 --- a/iam-policies/terraform/README.md +++ b/iam-policies/terraform/README.md @@ -9,7 +9,7 @@ This Terraform module deploys additional Elastio IAM managed policies that you c ```tf module "elastio_policies" { source = "terraform.cloudsmith.io/public/elastio-iam-policies/aws" - version = "0.33.0" + version = "0.33.1" // Provide input parameters } From 33655494bf90755efceaa5c7eca2fbdee3885993 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 19:11:49 +0000 Subject: [PATCH 3/3] Fix description --- codegen/src/policies/ElastioAwsBackupEc2Scan.ts | 2 +- iam-policies/terraform/README.md | 2 +- iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts index eb09509..2254569 100644 --- a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts +++ b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts @@ -1,7 +1,7 @@ import * as iam from "../iam"; export default { - description: "Allows Elastio to scan AWS Backup EC2 recovery points.", + description: "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.", statements: [ { diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md index d5951af..f3a5f77 100644 --- a/iam-policies/terraform/README.md +++ b/iam-policies/terraform/README.md @@ -30,7 +30,7 @@ See the basic [usage example](./examples/basic/main.tf). | Policy | Description | | ------------------------------------------------------------ | -------------------------------------------------------------- | | [`ElastioAssetAccountDeployer`][ElastioAssetAccountDeployer] | Permissions required to deploy the Elastio Asset Account stack | -| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan] | Allows Elastio to scan AWS Backup EC2 recovery points. | +| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan] | Allows Elastio to scan AWS Backup EC2 and EBS recovery points. | [ElastioAssetAccountDeployer]: ../../codegen/src/policies/ElastioAssetAccountDeployer.ts [ElastioAwsBackupEc2Scan]: ../../codegen/src/policies/ElastioAwsBackupEc2Scan.ts diff --git a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json index f627d40..95f98d8 100644 --- a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json +++ b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json @@ -1,5 +1,5 @@ { - "Description": "Allows Elastio to scan AWS Backup EC2 recovery points.", + "Description": "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.", "PolicyDocument": { "Version": "2012-10-17", "Statement": [