Missing permission for cloudfront

Question

Missing permission for cloudfront

nitrocode opened this issue 2 years ago · 1 comments

Missing cloudfront:CreateInvalidation

https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateInvalidation.html

$ policy_sentry query action-table --service cloudfront --resource-type "*" --fmt yaml
IAM actions under cloudfront service that have the resource type *:
- cloudfront:CreateKeyGroup
- cloudfront:CreateMonitoringSubscription
- cloudfront:CreatePublicKey
- cloudfront:DeleteKeyGroup
- cloudfront:DeleteMonitoringSubscription
- cloudfront:DeletePublicKey
- cloudfront:GetKeyGroup
- cloudfront:GetKeyGroupConfig
- cloudfront:GetMonitoringSubscription
- cloudfront:GetPublicKey
- cloudfront:GetPublicKeyConfig
- cloudfront:ListCachePolicies
- cloudfront:ListCloudFrontOriginAccessIdentities
- cloudfront:ListDistributions
- cloudfront:ListDistributionsByCachePolicyId
- cloudfront:ListDistributionsByKeyGroup
- cloudfront:ListDistributionsByLambdaFunction
- cloudfront:ListDistributionsByOriginRequestPolicyId
- cloudfront:ListDistributionsByRealtimeLogConfig
- cloudfront:ListDistributionsByResponseHeadersPolicyId
- cloudfront:ListDistributionsByWebACLId
- cloudfront:ListFieldLevelEncryptionConfigs
- cloudfront:ListFieldLevelEncryptionProfiles
- cloudfront:ListFunctions
- cloudfront:ListKeyGroups
- cloudfront:ListOriginRequestPolicies
- cloudfront:ListPublicKeys
- cloudfront:ListRealtimeLogConfigs
- cloudfront:ListResponseHeadersPolicies
- cloudfront:ListStreamingDistributions
- cloudfront:UpdateKeyGroup
- cloudfront:UpdatePublicKey

Could be missing additional items

Answer 1 · 2023-08-12T07:03:30.000Z

I believe this was fixed in an update not too long ago. Just wrote a policy with it and got that action in it