From 8fde48a33153e1a5fee7b3c7b33e0151dddb88f8 Mon Sep 17 00:00:00 2001
From: panther-bot <github-service-account@runpanther.io>
Date: Thu, 21 Mar 2024 22:59:37 +0000
Subject: [PATCH] sync changes from panther-labs/panther-enterprise#18049

---
 cloudformation/panther-deployment-role.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cloudformation/panther-deployment-role.yml b/cloudformation/panther-deployment-role.yml
index 109a70b..d6320fa 100644
--- a/cloudformation/panther-deployment-role.yml
+++ b/cloudformation/panther-deployment-role.yml
@@ -168,7 +168,7 @@ Resources:
               # Create and manage queues to send messages between application components
               - sns:*
               - sqs:*Permission*
-              - sqs:*Queue*
+              - sqs:*ueue*
               - sqs:SendMessage
               # Manage the states of step functions that run the core product
               - states:*
@@ -311,6 +311,10 @@ Resources:
               - !Sub arn:${AWS::Partition}:dynamodb:*:${AWS::AccountId}:table/*alerts-indicators
               - !Sub arn:${AWS::Partition}:dynamodb:*:${AWS::AccountId}:table/*alert-search-rehydrate-jobs
               - !Sub arn:${AWS::Partition}:dynamodb:*:${AWS::AccountId}:table/*indicators-metadata
+          - Effect: Deny
+            Action: athena:DeleteWorkGroup
+            NotResource:
+              - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/panther
           - Effect: Deny
             Action:
               - cognito-idp:DeleteUserPool*