From 8c581659a43535bdfa654f1cd16fd8fa6286445a Mon Sep 17 00:00:00 2001
From: Ravina Dhruve <ravina.dhruve@sysdig.com>
Date: Wed, 28 Feb 2024 15:08:16 -0800
Subject: [PATCH 1/2] Remove unnecessary permission in AWS trust-relationship

Removing account:GetContactInformation since it is no
longer a required permission for the CSPM feature to work.
---
 modules/services/trust-relationship/main.tf | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf
index 9614414..2afe097 100644
--- a/modules/services/trust-relationship/main.tf
+++ b/modules/services/trust-relationship/main.tf
@@ -75,20 +75,6 @@ data "aws_iam_policy_document" "custom_resources_policy" {
       "arn:aws:waf-regional:*:*:rulegroup/*"
     ]
   }
-
-  statement {
-    sid = "AccessAccountContactInfo"
-
-    effect = "Allow"
-
-    actions = [
-      "account:GetContactInformation",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
 }
 
 #----------------------------------------------------------
@@ -146,11 +132,6 @@ Resources:
                 Resource:
                   - "arn:aws:waf-regional:*:*:rule/*"
                   - "arn:aws:waf-regional:*:*:rulegroup/*"
-              - Sid: "AccessAccountContactInfo"
-                Effect: "Allow"
-                Action:
-                  - "account:GetContactInformation"
-                Resource: "*"
 TEMPLATE
 }
 

From 334598af2694fbfd03868ba46bea61db5aac7bad Mon Sep 17 00:00:00 2001
From: Ravina Dhruve <ravina.dhruve@sysdig.com>
Date: Fri, 8 Mar 2024 09:20:18 -0800
Subject: [PATCH 2/2] Add macie2:ListClassificationJobs permission

---
 modules/services/trust-relationship/main.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf
index 2afe097..d8f7f12 100644
--- a/modules/services/trust-relationship/main.tf
+++ b/modules/services/trust-relationship/main.tf
@@ -75,6 +75,20 @@ data "aws_iam_policy_document" "custom_resources_policy" {
       "arn:aws:waf-regional:*:*:rulegroup/*"
     ]
   }
+
+  statement {
+    sid = "ListJobsOnConsole"
+
+    effect = "Allow"
+
+    actions = [
+      "macie2:ListClassificationJobs",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
 }
 
 #----------------------------------------------------------
@@ -132,6 +146,10 @@ Resources:
                 Resource:
                   - "arn:aws:waf-regional:*:*:rule/*"
                   - "arn:aws:waf-regional:*:*:rulegroup/*"
+              - Sid: "ListJobsOnConsole"
+                Effect: "Allow"
+                Action: "macie2:ListClassificationJobs"
+                Resource: "*"
 TEMPLATE
 }