sync changes from panther-labs/panther-enterprise#20831

panther-labs · Dec 17, 2024 · 63244c1 · 63244c1
1 parent f3d010c
commit 63244c1
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/cloudformation/panther-deployment-role.yml b/cloudformation/panther-deployment-role.yml
@@ -206,6 +206,24 @@ Resources:
               - codebuild:UpdateProject
               - codebuild:StartBuild
             Resource: !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/panther*
+          - Sid: PantherRedshiftProvisioning
+            Effect: Allow
+            Action:
+              - redshift-data:ExecuteStatement # used to set up permissions inside databases
+              - redshift-serverless:CreateNamespace
+              - redshift-serverless:CreateWorkgroup
+              - redshift-serverless:GetCredentials
+              - redshift-serverless:UpdateNamespace
+              - redshift-serverless:UpdateWorkgroup
+              - redshift-serverless:TagResource
+            Resource:
+              - !Sub arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:namespace/*
+              - !Sub arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*
+          - Sid: PantherRedshiftProvisioningDescribeStatement
+            Effect: Allow
+            Action:
+              - redshift-data:DescribeStatement # used to set up permissions inside databases
+            Resource: '*' # this action requires *
           - Sid: PantherStateMachine
             Effect: Allow
             Action:
@@ -225,6 +243,8 @@ Resources:
             Resource:
               - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/alert-search-rehydrate-api-rehydration-cron
               - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/analysis-api-schedule-polling-cron
+              - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/compliance-aggregator-refresh-all-delete-cron
+              - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/compliance-aggregator-refresh-all-no-delete-cron
               - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/detection-processor-poll-cron
               - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/enrichment-api-prune-generations-cron
               - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/enrichment-api-sync-all-profile-pullers-cron