/**
* Generates a least-privilege IAM policy for the tools requested.
*/
export const TOOL_IAM_MAPPING: Record<string, string[]> = {
get_aws_caller_identity: ["sts:GetCallerIdentity"],
list_s3_buckets: ["s3:ListAllMyBuckets", "s3:GetBucketPolicyStatus"],
list_ec2_instances: ["ec2:DescribeInstances"],
list_iam_users: ["iam:ListUsers"],
list_recent_cloudtrail_events: ["cloudtrail:LookupEvents"],
list_cloudwatch_alarms: ["cloudwatch:DescribeAlarms"],
get_recent_cost: ["ce:GetCostAndUsage"],
get_cost_by_service: ["ce:GetCostAndUsage"],
get_cost_breakdown: ["ce:GetCostAndUsage"],
get_cost_forecast: ["ce:GetCostForecast"],
get_budget_details: ["budgets:DescribeBudgets"],
get_cost_anomalies: ["ce:GetAnomalies"],
get_savings_plans_utilization: ["ce:GetSavingsPlansUtilization"],
get_reservation_utilization: ["ce:GetReservationUtilization"],
get_instance_details: ["ec2:DescribeInstances"],
list_vpcs: ["ec2:DescribeVpcs"],
list_subnets: ["ec2:DescribeSubnets"],
list_route_tables: ["ec2:DescribeRouteTables"],
list_internet_gateways: ["ec2:DescribeInternetGateways"],
list_nat_gateways: ["ec2:DescribeNatGateways"],
list_security_groups: ["ec2:DescribeSecurityGroups"],
list_users_without_mfa: ["iam:ListUsers", "iam:ListMFADevices"],
list_old_access_keys: ["iam:ListUsers", "iam:ListAccessKeys"],
list_expiring_certificates: [
"acm:ListCertificates",
"acm:DescribeCertificate",
],
list_rds_instances: ["rds:DescribeDBInstances"],
list_lambda_functions: ["lambda:ListFunctions"],
list_backup_jobs: ["backup:ListBackupJobs"],
list_open_security_groups: ["ec2:DescribeSecurityGroups"],
list_unused_ebs_volumes: ["ec2:DescribeVolumes"],
list_unassociated_eips: ["ec2:DescribeAddresses"],
list_guardduty_findings: [
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings",
],
get_recent_logs: ["logs:DescribeLogStreams", "logs:GetLogEvents"],
search_cloudwatch_logs: ["logs:FilterLogEvents"],
list_cloudtrail_changes: ["cloudtrail:LookupEvents"],
list_access_denied_events: ["cloudtrail:LookupEvents"],
get_service_health: ["health:DescribeEvents"],
list_load_balancers: ["elasticloadbalancing:DescribeLoadBalancers"],
list_target_groups: ["elasticloadbalancing:DescribeTargetGroups"],
list_listener_rules: [
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
],
get_target_health: ["elasticloadbalancing:DescribeTargetHealth"],
list_web_acls: ["wafv2:ListWebACLs"],
get_waf_sampled_requests: ["wafv2:GetSampledRequests"],
check_ip_in_waf: ["wafv2:ListIPSets", "wafv2:GetIPSet"],
get_metric_statistics: ["cloudwatch:GetMetricStatistics"],
list_sns_topics: ["sns:ListTopics"],
list_record_sets: ["route53:ListResourceRecordSets"],
list_hosted_zones: ["route53:ListHostedZones"],
list_ecs_clusters: ["ecs:ListClusters", "ecs:DescribeClusters"],
list_ecs_services: ["ecs:ListServices", "ecs:DescribeServices"],
list_eks_clusters: ["eks:ListClusters"],
list_auto_scaling_groups: ["autoscaling:DescribeAutoScalingGroups"],
list_scaling_activities: ["autoscaling:DescribeScalingActivities"],
list_cloudfront_distributions: ["cloudfront:ListDistributions"],
list_secrets: ["secretsmanager:ListSecrets"],
list_ssm_parameters: ["ssm:DescribeParameters"],
list_cloudformation_stacks: ["cloudformation:ListStacks"],
list_dynamodb_tables: ["dynamodb:ListTables"],
list_trusted_advisor_checks: ["support:DescribeTrustedAdvisorChecks"],
aws_health_check: ["sts:GetCallerIdentity"],
get_iam_policy_for_tools: [],
estimate_cost: [],
scan_secrets_risks: ["secretsmanager:ListSecrets"],
};
export function generatePolicyForTools(toolNames: string[]): string {
const actions = new Set<string>();
for (const name of toolNames) {
const perms = TOOL_IAM_MAPPING[name];
if (perms) perms.forEach((a) => actions.add(a));
}
const policy = {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [...actions].sort(),
Resource: "*",
},
],
};
return JSON.stringify(policy, null, 2);
}
