Fix(extra7141): Error handling and include missing policy (#1024)

* Fix AccessDenied issue when get document Add check to validate access denied when get document from SSM. Add missing action permission to allow ssm:GetDocument. * Double quote variables to prevent globbing and word splitting
2026-02-10 14:55:00 +00:00 · 2022-02-09 12:01:01 -03:00
parent 6c12a3e1e0
commit 9b772a70a1
5 changed files with 49 additions and 41 deletions
--- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
+++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
@@ -141,7 +141,7 @@ Resources:
          - id: W28
            reason: "Explicit name is required for this resource to avoid circular dependencies."
    Properties:
-      RoleName: !Sub 'prowler-codebuild-role'
+      RoleName: 'prowler-codebuild-role'
      Path: '/service-role/'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/job-function/SupportUser'
@@ -187,16 +187,17 @@ Resources:
                  - ds:ListAuthorizedApplications
                  - ec2:GetEbsEncryptionByDefault
                  - ecr:Describe*
-                  - support:Describe*
-                  - tag:GetTagKeys
-                  - lambda:GetFunction
+                  - elasticfilesystem:DescribeBackupPolicy
                  - glue:GetConnections
                  - glue:GetSecurityConfiguration
                  - glue:SearchTables
+                  - lambda:GetFunction
                  - s3:GetAccountPublicAccessBlock
-                  - shield:GetSubscriptionState
                  - shield:DescribeProtection
-                  - elasticfilesystem:DescribeBackupPolicy
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
                Effect: Allow
                Resource: '*'
        - PolicyName: CodeBuild
--- a/util/terraform-kickstarter/main.tf
+++ b/util/terraform-kickstarter/main.tf
@@ -314,16 +314,17 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
                  "ds:ListAuthorizedApplications",
                  "ec2:GetEbsEncryptionByDefault",
                  "ecr:Describe*",
-                  "support:Describe*",
-                  "tag:GetTagKeys",
-                  "lambda:GetFunction",
+                  "elasticfilesystem:DescribeBackupPolicy",
                  "glue:GetConnections",
                  "glue:GetSecurityConfiguration",
                  "glue:SearchTables",
+                  "lambda:GetFunction",
                  "s3:GetAccountPublicAccessBlock",
-                  "shield:GetSubscriptionState",
                  "shield:DescribeProtection",
-                  "elasticfilesystem:DescribeBackupPolicy"
+                  "shield:GetSubscriptionState",
+                  "ssm:GetDocument",
+                  "support:Describe*",
+                  "tag:GetTagKeys"
                  ]
        Effect   = "Allow"
        Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"