sync changes from panther-labs/panther-enterprise#16566 (#102)

cloudformation/panther-cloudsec-iam.yml

@@ -148,6 +148,14 @@ Resources:
                   - eks:DescribeFargateProfile
                   - eks:DescribeNodegroup
                 Resource: '*'
+        - PolicyName: DescribeDynamodb
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:DescribeKinesisStreamingDestination
+                Resource: '*'
       Tags:
         - Key: Application
           Value: Panther

terraform/README.md

@@ -79,8 +79,4 @@ Log Analysis analog to CloudWatch event notifications for cloud security real ti
 
 ## "Deployment" template
 
-Programmatic deployment of Panther
-
-## "deployment" role trust principal
-
-- the IAM identity of the external automation principal that is deploying Panther (not a Panther component)
+Note: the deployment role was previously available as a terraform template, but has been deprecated in favor of a CloudFormation implementation. Please see `cloudformation/panther-deployment-role.yml`.

terraform/panther_cloudsec_iam/main.tf

@@ -166,6 +166,25 @@ resource "aws_iam_role_policy" "panther_list_describe_eks" {
   })
 }
 
+resource "aws_iam_role_policy" "panther_describe_dynamodb" {
+  count = var.include_audit_role ? 1 : 0
+  name  = "DescribeDynamodb"
+  role  = aws_iam_role.panther_audit[0].id
+
+  policy = jsonencode({
+    Version : "2012-10-17",
+    Statement : [
+      {
+        Effect : "Allow",
+        Action : [
+          "dynamodb:DescribeKinesisStreamingDestination",
+        ],
+        Resource : "*"
+      }
+    ]
+  })
+}
+
 
 ###############################################################
 # CloudFormation StackSet Execution Role