Fix(extra7141): Error handling and include missing policy (#1024)

* Fix AccessDenied issue when get document Add check to validate access denied when get document from SSM. Add missing action permission to allow ssm:GetDocument. * Double quote variables to prevent globbing and word splitting
2026-02-10 14:55:00 +00:00 · 2022-02-09 12:01:01 -03:00
parent 6c12a3e1e0
commit 9b772a70a1
5 changed files with 49 additions and 41 deletions
--- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
+++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml
@@ -141,7 +141,7 @@ Resources:
          - id: W28
            reason: "Explicit name is required for this resource to avoid circular dependencies."
    Properties:
-      RoleName: !Sub 'prowler-codebuild-role'
+      RoleName: 'prowler-codebuild-role'
      Path: '/service-role/'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/job-function/SupportUser'
@@ -187,16 +187,17 @@ Resources:
                  - ds:ListAuthorizedApplications
                  - ec2:GetEbsEncryptionByDefault
                  - ecr:Describe*
-                  - support:Describe*
-                  - tag:GetTagKeys
-                  - lambda:GetFunction
+                  - elasticfilesystem:DescribeBackupPolicy
                  - glue:GetConnections
                  - glue:GetSecurityConfiguration
                  - glue:SearchTables
+                  - lambda:GetFunction
                  - s3:GetAccountPublicAccessBlock
-                  - shield:GetSubscriptionState
                  - shield:DescribeProtection
-                  - elasticfilesystem:DescribeBackupPolicy
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
                Effect: Allow
                Resource: '*'
        - PolicyName: CodeBuild