From 6e5df52fe0ec655e4670727dce68ea3cff957bc6 Mon Sep 17 00:00:00 2001
From: panther-bot <54194790+panther-bot@users.noreply.github.com>
Date: Wed, 3 Jan 2024 03:28:45 -0800
Subject: [PATCH] sync changes from panther-labs/panther-enterprise#16566
 (#102)

---
 cloudformation/panther-cloudsec-iam.yml |  8 ++++++++
 terraform/README.md                     |  6 +-----
 terraform/panther_cloudsec_iam/main.tf  | 19 +++++++++++++++++++
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/cloudformation/panther-cloudsec-iam.yml b/cloudformation/panther-cloudsec-iam.yml
index 37e7dd4..2c51955 100644
--- a/cloudformation/panther-cloudsec-iam.yml
+++ b/cloudformation/panther-cloudsec-iam.yml
@@ -148,6 +148,14 @@ Resources:
                   - eks:DescribeFargateProfile
                   - eks:DescribeNodegroup
                 Resource: '*'
+        - PolicyName: DescribeDynamodb
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:DescribeKinesisStreamingDestination
+                Resource: '*'
       Tags:
         - Key: Application
           Value: Panther
diff --git a/terraform/README.md b/terraform/README.md
index f32f911..528564d 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -79,8 +79,4 @@ Log Analysis analog to CloudWatch event notifications for cloud security real ti
 
 ## "Deployment" template
 
-Programmatic deployment of Panther
-
-## "deployment" role trust principal
-
-- the IAM identity of the external automation principal that is deploying Panther (not a Panther component)
+Note: the deployment role was previously available as a terraform template, but has been deprecated in favor of a CloudFormation implementation. Please see `cloudformation/panther-deployment-role.yml`.
diff --git a/terraform/panther_cloudsec_iam/main.tf b/terraform/panther_cloudsec_iam/main.tf
index 027a692..68b2485 100644
--- a/terraform/panther_cloudsec_iam/main.tf
+++ b/terraform/panther_cloudsec_iam/main.tf
@@ -166,6 +166,25 @@ resource "aws_iam_role_policy" "panther_list_describe_eks" {
   })
 }
 
+resource "aws_iam_role_policy" "panther_describe_dynamodb" {
+  count = var.include_audit_role ? 1 : 0
+  name  = "DescribeDynamodb"
+  role  = aws_iam_role.panther_audit[0].id
+
+  policy = jsonencode({
+    Version : "2012-10-17",
+    Statement : [
+      {
+        Effect : "Allow",
+        Action : [
+          "dynamodb:DescribeKinesisStreamingDestination",
+        ],
+        Resource : "*"
+      }
+    ]
+  })
+}
+
 
 ###############################################################
 # CloudFormation StackSet Execution Role