in source/repositories/compliant-framework-central-pipeline/lib/environment-pipeline-stack.ts [939:1033]
private updateGrants() {
this.s3Bucket.grantReadWrite(
new iam.OrganizationPrincipal(this.props.config.central.organizationId)
);
this.s3Bucket.grantReadWrite(
this.lambdas[cfw.COPY_CODECOMMIT_REPOSITORIES_TO_S3]
);
this.s3Bucket.grantReadWrite(
this.lambdas[cfw.UPDATE_ARTIFACT_ACL]
)
for (var source in this.sources) {
this.sources[source].repo.grantRead(
this.lambdas[cfw.COPY_CODECOMMIT_REPOSITORIES_TO_S3]
);
}
this.lambdas['initialize_organizational_units'].addToRolePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'organizations:CreateOrganizationalUnit',
'organizations:DescribeOrganizationalUnit',
'organizations:ListChildren',
'organizations:ListRoots',
'organizations:MoveAccount'
],
resources: [
'*'
]
})
);
this.lambdas[cfw.STACK_SET_ACTION].addToRolePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'organizations:DescribeOrganizationalUnit',
'organizations:ListChildren',
'organizations:ListRoots',
'cloudformation:CreateStackInstances',
'cloudformation:CreateStackSet',
'cloudformation:DescribeStackSet',
'cloudformation:DescribeStackSetOperation',
'cloudformation:TagResource',
'cloudformation:UpdateStackSet',
'ssm:getParameter'
],
resources: [
'*'
]
})
);
this.lambdas[cfw.SECURITY_HUB_INVITE_MEMBERS].addToRolePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'securityhub:AcceptInvitation',
'securityhub:CreateMembers',
'securityhub:InviteMembers',
'securityhub:ListMembers',
'sts:AssumeRole'
],
resources: [
'*'
]
})
);
this.lambdas[cfw.GET_SSM_PARAMETERS].addToRolePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'ssm:GetParameter'
],
resources: [
'*'
]
})
);
this.lambdas[cfw.CREATE_UPDATE_STACK].addToRolePolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'*',
],
resources: [
'*'
]
})
);
}