CORP/KPI read cloudtrail events

CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## v4.10.0
+
+- Add read Cloudtrail event permission
+
 ## v4.9.0
 
 - Add `external_iam_role` to allow Airflow Pulumi tests to pass

README.md

@@ -74,6 +74,8 @@ kms:
   - test_kms_key_arn
 
 bedrock: true
+
+cloudtrail_lookup_events: true
 ```
 
 Whilst the example json (`iam_config.json`) looks like this:
@@ -100,7 +102,8 @@ Whilst the example json (`iam_config.json`) looks like this:
     ]
   },
   "kms": ["test_kms_key_arn"],
-  "bedrock": true
+  "bedrock": true,
+  "cloudtrail_lookup_events": true
 }
 ```
 
@@ -129,6 +132,8 @@ Whilst the example json (`iam_config.json`) looks like this:
 
 - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock.
 
+- **cloudtrail_lookup_events** Boolean; must be set to `true` to allow role to read Amazon CloudTrail events. If `false` or absent role will not be able to read  Amazon Cloudtrail events.
+
 ## How to update
 
 When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`.

iam_builder/iam_builder.py

@@ -99,4 +99,7 @@ def build_iam_policy(config: dict) -> dict:  # noqa: C901
     if "bedrock" in config and config["bedrock"]:
         iam["Statement"].extend(iam_lookup["bedrock"])
 
+    if "cloudtrail_lookup_events" in config:
+        iam["Statement"].extend(iam_lookup["cloudtrail_lookup_events"])
+
     return iam

iam_builder/schemas/iam_schema.json

@@ -89,6 +89,10 @@
             "description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.",
             "type": "boolean"
         },
+        "cloudtrail_lookup_events": {
+            "description": "cloudtrail_lookup_events must be set to true to allow cloudtrail lookup",
+            "type": "boolean"
+        },
         "role_duration_seconds":{
             "description": "Max duration role can be assumed for in seconds",
             "type": "integer"

iam_builder/templates.py

@@ -166,6 +166,16 @@
                 }
             }
         }
+    ],
+    "cloudtrail_lookup_events": [
+        {
+            "Sid": "allowLookup",
+            "Effect": "Allow",
+            "Action": [
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": ["*"]
+        }
     ]
 }
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.9.0"
+version = "4.10.0"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <[email protected]>"]
 license = "MIT"

tests/expected_policy/cloudtrail_lookup_events.json

@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "allowLookup",
+            "Effect": "Allow",
+            "Action": [
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": ["*"]
+        }
+    ]
+}

tests/test_config/cloudtrail_lookup_events.yaml

@@ -0,0 +1 @@
+cloudtrail_lookup_events: true

tests/test_iam_builder.py

@@ -74,7 +74,8 @@ class TestConfigOutputs(unittest.TestCase):
             "glue_job",
             "all_config",
             "secrets",
-            "secrets_readwrite"
+            "secrets_readwrite",
+            "cloudtrail_lookup_events"
         ]
     )
     def test_config_output(self, config_name):