From ce48630b1c7098e5793ffb4996e040126090cd91 Mon Sep 17 00:00:00 2001 From: Aaron Bouey Date: Wed, 11 Dec 2024 11:26:22 -0800 Subject: [PATCH 1/5] Updating markdown/content in CfCT install documentation. --- .../docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md | 91 ++++++++++++++++--- 1 file changed, 79 insertions(+), 12 deletions(-) diff --git a/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md b/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md index 1d4e91ce7..125898220 100644 --- a/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md +++ b/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md @@ -4,16 +4,28 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- --- +CfCT is a deployment mechanism that for SRA solutions within Control Tower enabled AWS environments. +The requisite [SRA solution configuration files](https://github.com/boueya/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions) are stored in either CodeCommit or S3 and programmatically configured in AWS with a CodePipeline. Whether you're using the sra-easy-setup deployment method or deploying SRA controls ADHOC, the CfCT deployment mechanism makes managing and customizing SRA solutions easier. + + ## Table of Contents - [Prerequisites](#prerequisites) + - [Deploy Control Tower](#deploy-control-tower) - [Create the AWSControlTowerExecution IAM Role](#create-the-awscontroltowerexecution-iam-role) - [Deploy Customizations for AWS Control Tower (CFCT) Solution](#deploy-customizations-for-aws-control-tower-cfct-solution) - [AWS CodeCommit Repo](#aws-codecommit-repo) + - [AWS S3 Repo](#aws-s3-repo) + - [Configure SRA Deployment Repo](#configue-your-sra-deployment-repo) - [References](#references) + ## Prerequisites +### Deploy Control Tower + +- These customizations act on existing Control Tower deployments. If you do not have Control Tower deployed into your environment, please do so through the AWS console. For more details on Control Tower and Landing Zone deployments, see the [userguide](https://docs.aws.amazon.com/controltower/latest/userguide/quick-start.html). + ### Create the AWSControlTowerExecution IAM Role - The `AWSControlTowerExecution` Role provides the support needed to deploy solutions to the `management account` across regions as CloudFormation `StackSets` and it is required for the SRA CFCT solution deployments. @@ -27,18 +39,31 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- - `Amazon S3 URL` = https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template - `Stack name` = custom-control-tower-initiation - - `AWS CodePipeline Source` = AWS CodeCommit + - `AWS CodePipeline Source` = AWS CodeCommit | S3 - `Failure Tolerance Percentage` = 0 - Acknowledge that AWS CloudFormation might create IAM resources with custom names Note: Version 2 or higher of CfCT is expected. ### AWS CodeCommit Repo +*Note: AWS CodeCommit is being deprecated and cannot be deployed to new environments, unless that environment is a part of an AWS Organization with an account that already has CodeCommit deployed. Please see [AWS S3 Repo](#aws-s3-repo) for new AWS Accounts.* + +Create a CodeCommit repo for SRA customization [configuration files](#deployment-instructions). 1. On the local machine install [git](https://git-scm.com/downloads) and [git-remote-codecommit](https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-connect.html). 2. Clone the AWS CodeCommit repository via `git clone codecommit::://custom-control-tower-configuration custom-control-tower-configuration` +### AWS S3 Repo + +Create a CodeCommit repo for SRA cusotmization [configuration files](#deployment-instructions). + +- By default, the CodePipeline deployed from the custom-control-tower-initiation CloudFormation will use the `custom-control-tower-configuration-<< ACCOUNT NAME >>-<< REGION NAME >>` S3 bucket as a Source repo. Additionally, it will look for the `custom-control-tower-configuration.zip` file. The pipeline will fail without it. We have provided users with an example `_custom-control-tower-configuration.zip` file in S3 with an example repo for convenience. + +- If you would like to change the S3 bucket Source for the CodePipeline, you will need to navigate to the CodePipeline within the AWS console, edit the Source stage for the CodePipeline and update the Bucket name value. Users can also modify the S3 object key value if the ZIP filename differs from default. + + ## Deployment Instructions +*Note: these instructions assume version 2 or higher of the CfCT solution has been installed.* 1. Determine which version of the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution you have deployed: 1. Within the `management account (home region)` find the **CloudFormation Stack** for the Customizations for Control Tower (e.g. `custom-control-tower-initiation`) @@ -48,18 +73,59 @@ Note: Version 2 or higher of CfCT is expected. 2. Version 2 = v2.x.x = manifest.yaml version 2021-03-15 2. If version 2 is installed, continue to the deployment instructions below. If not, you will need to update your version of CfCT. -#### Deployment Instructions -Note: these instructions assume version 2 or higher of the CfCT solution has been installed. +##### Configue Your SRA Deployment Repo + +SRA Customizations with CfCT are deployed via a CodePipeline from either a CodeCommit or S3 source. +Here's an example of an repo for sra-easy-deploy.yaml deployment with controls/parameters for GuardDuty. + +> ├── manifest.yaml +> | +> ├── templates +> │   └── sra-easy-setup.yaml +> | +> ├── parameters +> │   └── sra-guardduty-org-main-ssm.json +> | +> ├── policies + + +###### manifest.yaml file [**required**] + +The manifest file will contain all the high level SRA controls that will be deployed to your environment. +An example manifest file for [sra-easy-setup.yaml](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml) + + - Define all `parameters`, `organizational unit names`, `account names` and `SSM parameters` necessary for the SRA controls that you want to enable and configure here. + + - If you are using a non-standard file structure in your Repo, as outlined above, the [*resource_file* key](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml#L13C5-L13C49) value in your manifest file must reflect the path to your template. + + - Be sure to update the [*accounts* key](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml#L310) to reflect your Management Account name. + +###### templates [**required**] + +The templates directory will contain the actual CloudFormation files that are defined within the manifest file. +We use the sra-easy-setup deployment method as an example for the manifest above, [here's](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml) what the template file looks like. + +You can also deploy SRA solutions ADHOC, without the sra-easy-setup, by including their corresponding manifest CFN template entry under the resources list for your manifest.yaml file. Exmaples of manifest files for supported solutions can be found within the `aws_sra_examples` repo [aws_sra_examples/solutions/<< SOLUTION NAME >>/customizations_for_aws_control_tower/manifest.yaml](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions). + + - You shouldn't need to modify much in this template file as all SRA controls and parameters are defined in the manifest and files under the parameters directory, respectively. + +###### policies [optional] + +Service control policy JSON files go here. The files under the Policies directory will depend on what SRA controls that you're deploying to your environment. Not all SRA controls will require policies defined here. + +###### parameters [optional] + +Service control parameter JSON files go here. The files under the Parameters directory will depend on what SRA controls that you're deploying to your environment. Not all SRA controls will require parameters defined here. + +Above, we used the [sra-guardduty-org-main-ssm.json](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json) parameters file as an example for our sra-easy-setup deploying GuardDuty controls in AWS. + +You can find examples of parameter files for each security solution that we support within the `aws_sra_examples` repo [aws_sra_examples/solutions/<< SOLUTION NAME >>/customizations_for_aws_control_tower/parameters/](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions). + + +##### Push To CodeCommit or S3 +*Note: If you are using S3, the files above will need to be ZIPPED up and named `custom-control-tower-configuration`.* -1. Copy the files to the Customizations for AWS Control Tower configuration `custom-control-tower-configuration` - - policies [optional] - - service control policies files (\*.json) - - templates [**required**] - - Copy the template files from the `templates` folder that are referenced in the `manifest.yaml` -2. Update the manifest.yaml file with the `parameters`, `organizational unit names`, `account names` and `SSM parameters` for the target environment - - *Be sure to update `deployment_targets` `accounts` with your management account information* -3. Deploy the Customizations for AWS Control Tower configuration by pushing the code to the `AWS CodeCommit` repository or uploading to the `AWS S3 Bucket` ### Delete Instructions @@ -72,6 +138,7 @@ Note: these instructions assume version 2 or higher of the CfCT solution has bee 1. Delete the Stack Instances from the `CustomControlTower-*` CloudFormation StackSets 2. After the Stack Instances are deleted, delete the `CustomControlTower-*` CloudFormation StackSets + ## References -- [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) +- [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) \ No newline at end of file From 2d16da087aaf6eb6ad4530c6cd68443e4e7f5109 Mon Sep 17 00:00:00 2001 From: Aaron Bouey Date: Fri, 10 Jan 2025 13:14:01 -0800 Subject: [PATCH 2/5] Clarified some instructions and removed fork repo URL. --- aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md b/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md index 125898220..b8901d3eb 100644 --- a/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md +++ b/aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md @@ -4,8 +4,8 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- --- -CfCT is a deployment mechanism that for SRA solutions within Control Tower enabled AWS environments. -The requisite [SRA solution configuration files](https://github.com/boueya/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions) are stored in either CodeCommit or S3 and programmatically configured in AWS with a CodePipeline. Whether you're using the sra-easy-setup deployment method or deploying SRA controls ADHOC, the CfCT deployment mechanism makes managing and customizing SRA solutions easier. +CfCT is a deployment mechanism for SRA solutions within Control Tower enabled AWS environments. +The requisite [SRA solution configuration files](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions) are stored in either CodeCommit (deprecated service) or S3 and programmatically configured in AWS with a CodePipeline. Whether you're using the sra-easy-setup deployment method or deploying SRA controls ADHOC, the CfCT deployment mechanism makes managing and customizing SRA solutions easier. ## Table of Contents @@ -24,7 +24,7 @@ The requisite [SRA solution configuration files](https://github.com/boueya/aws-s ### Deploy Control Tower -- These customizations act on existing Control Tower deployments. If you do not have Control Tower deployed into your environment, please do so through the AWS console. For more details on Control Tower and Landing Zone deployments, see the [userguide](https://docs.aws.amazon.com/controltower/latest/userguide/quick-start.html). +- These customizations act on existing Control Tower deployments. For more details on Control Tower and Landing Zone deployments, see the [userguide](https://docs.aws.amazon.com/controltower/latest/userguide/quick-start.html). ### Create the AWSControlTowerExecution IAM Role From 7fab5acf97ca453ef58dd2c0758b83d0987106c1 Mon Sep 17 00:00:00 2001 From: Aaron Bouey Date: Thu, 16 Jan 2025 16:18:28 -0800 Subject: [PATCH 3/5] Adding scanner exceptions. --- .../ami_bakery/ami_bakery_org/lambda/src/codepipeline.py | 4 ++-- .../solutions/config/config_org/lambda/src/config.py | 2 +- .../solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py | 4 ++-- .../security_lake_org/lambda/src/security_lake.py | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py index c4ca779bc..01f68b50a 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py @@ -90,7 +90,7 @@ def create_codepipeline( "roleArn": "arn:" + aws_partition + ":iam::" + account_id + ":role/" + codepipeline_role_name, "artifactStore": {"type": "S3", "location": bucket_name}, "stages": [ - { + { # type: ignore "name": pipeline_name + "-CodeCommitSource", "actions": [ { @@ -104,7 +104,7 @@ def create_codepipeline( } ], }, - { + { # type: ignore "name": pipeline_name + "-DeployEC2ImageBuilder", "actions": [ { diff --git a/aws_sra_examples/solutions/config/config_org/lambda/src/config.py b/aws_sra_examples/solutions/config/config_org/lambda/src/config.py index 666882a16..a5a1a2c50 100644 --- a/aws_sra_examples/solutions/config/config_org/lambda/src/config.py +++ b/aws_sra_examples/solutions/config/config_org/lambda/src/config.py @@ -92,7 +92,7 @@ def set_config_in_org( configuration_recorder: ConfigurationRecorderTypeDef = { "name": recorder_name, "roleARN": role_arn, - "recordingGroup": { + "recordingGroup": { # type: ignore "allSupported": all_supported, "includeGlobalResourceTypes": include_global_resource_types, "resourceTypes": resource_types, diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py index d56ae666b..b693d894a 100644 --- a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py @@ -369,7 +369,7 @@ def manage_task_params( """ if task_operation is None and task_reboot_option is None: no_param_response: MaintenanceWindowTaskInvocationParametersTypeDef = { - "RunCommand": { + "RunCommand": { # type: ignore "Parameters": {}, "DocumentVersion": "$DEFAULT", "TimeoutSeconds": 3600, @@ -382,7 +382,7 @@ def manage_task_params( task_operation_final: str = "INVALID_TASK_OPERATION_PROVIDED" if task_operation is None else task_operation task_reboot_option_final: str = "INVALID_TASK_REBOOT_OPTION_PROVIDED" if task_reboot_option is None else task_reboot_option with_params_response: MaintenanceWindowTaskInvocationParametersTypeDef = { - "RunCommand": { + "RunCommand": { # type: ignore "Parameters": { "Operation": [task_operation_final], "RebootOption": [task_reboot_option_final], diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py index 74ff92e79..e469541ea 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py @@ -913,7 +913,7 @@ def set_lake_formation_permissions(lf_client: LakeFormationClient, account: str, try: resource: Union[ResourceTypeDef] = { "Database": {"CatalogId": account, "Name": db_name + "_subscriber"}, - "Table": {"CatalogId": account, "DatabaseName": db_name + "_subscriber", "Name": "rl_*"}, + "Table": {"CatalogId": account, "DatabaseName": db_name + "_subscriber", "Name": "rl_*"}, # type: ignore } lf_client.grant_permissions( CatalogId=account, From 1b593d84f5e1face2c3dce2f7613fa22694c1890 Mon Sep 17 00:00:00 2001 From: Aaron Bouey Date: Tue, 21 Jan 2025 09:20:56 -0800 Subject: [PATCH 4/5] Adding checkov scanner exceptions. --- .../terraform/solutions/inspector/configuration/main.tf | 1 + aws_sra_examples/terraform/solutions/macie/configuration/main.tf | 1 + .../terraform/solutions/security_hub/configuration/main.tf | 1 + 3 files changed, 3 insertions(+) diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf index 131a08a47..2fcbecbf9 100644 --- a/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf @@ -437,6 +437,7 @@ resource "aws_sns_topic_subscription" "inspector_org_topic_subscription" { ######################################################################## # AWS SQS Queue resource "aws_sqs_queue" "inspector_org_dlq" { + # checkov:skip=CKV2_AWS_73: Using default KMS key name = "${var.sra_solution_name}-dlq" kms_master_key_id = "alias/aws/sqs" diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/main.tf b/aws_sra_examples/terraform/solutions/macie/configuration/main.tf index 249da2586..0c35bb7c8 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration/main.tf @@ -377,6 +377,7 @@ resource "aws_sns_topic_subscription" "r_macie_org_topic_subscription" { } resource "aws_sqs_queue" "macie_org_dlq" { + # checkov:skip=CKV2_AWS_73: Using default KMS key name = "${var.p_sra_solution_name}-dlq" kms_master_key_id = "alias/aws/sqs" tags = { diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf index 9204c5897..3a36e6e09 100644 --- a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf @@ -435,6 +435,7 @@ resource "aws_sns_topic_subscription" "securityhub_org_topic_subscription" { # AWS SQS Queue resource "aws_sqs_queue" "securityhub_org_dlq" { + # checkov:skip=CKV2_AWS_73: Using default KMS key name = "${var.sra_solution_name}-dlq" kms_master_key_id = "alias/aws/sqs" From 627d4c8c0b593d362c8043f8227e205bcbd20af7 Mon Sep 17 00:00:00 2001 From: Aaron Bouey Date: Tue, 21 Jan 2025 09:52:06 -0800 Subject: [PATCH 5/5] Adding inline spaces before exceptions. --- .../ami_bakery/ami_bakery_org/lambda/src/codepipeline.py | 4 ++-- .../solutions/config/config_org/lambda/src/config.py | 2 +- .../solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py | 4 ++-- .../security_lake_org/lambda/src/security_lake.py | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py index 01f68b50a..a84b6edcd 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py @@ -90,7 +90,7 @@ def create_codepipeline( "roleArn": "arn:" + aws_partition + ":iam::" + account_id + ":role/" + codepipeline_role_name, "artifactStore": {"type": "S3", "location": bucket_name}, "stages": [ - { # type: ignore + { # type: ignore "name": pipeline_name + "-CodeCommitSource", "actions": [ { @@ -104,7 +104,7 @@ def create_codepipeline( } ], }, - { # type: ignore + { # type: ignore "name": pipeline_name + "-DeployEC2ImageBuilder", "actions": [ { diff --git a/aws_sra_examples/solutions/config/config_org/lambda/src/config.py b/aws_sra_examples/solutions/config/config_org/lambda/src/config.py index a5a1a2c50..a67a75f63 100644 --- a/aws_sra_examples/solutions/config/config_org/lambda/src/config.py +++ b/aws_sra_examples/solutions/config/config_org/lambda/src/config.py @@ -92,7 +92,7 @@ def set_config_in_org( configuration_recorder: ConfigurationRecorderTypeDef = { "name": recorder_name, "roleARN": role_arn, - "recordingGroup": { # type: ignore + "recordingGroup": { # type: ignore "allSupported": all_supported, "includeGlobalResourceTypes": include_global_resource_types, "resourceTypes": resource_types, diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py index b693d894a..393a5204a 100644 --- a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py @@ -369,7 +369,7 @@ def manage_task_params( """ if task_operation is None and task_reboot_option is None: no_param_response: MaintenanceWindowTaskInvocationParametersTypeDef = { - "RunCommand": { # type: ignore + "RunCommand": { # type: ignore "Parameters": {}, "DocumentVersion": "$DEFAULT", "TimeoutSeconds": 3600, @@ -382,7 +382,7 @@ def manage_task_params( task_operation_final: str = "INVALID_TASK_OPERATION_PROVIDED" if task_operation is None else task_operation task_reboot_option_final: str = "INVALID_TASK_REBOOT_OPTION_PROVIDED" if task_reboot_option is None else task_reboot_option with_params_response: MaintenanceWindowTaskInvocationParametersTypeDef = { - "RunCommand": { # type: ignore + "RunCommand": { # type: ignore "Parameters": { "Operation": [task_operation_final], "RebootOption": [task_reboot_option_final], diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py index e469541ea..89a6ee614 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py @@ -913,7 +913,7 @@ def set_lake_formation_permissions(lf_client: LakeFormationClient, account: str, try: resource: Union[ResourceTypeDef] = { "Database": {"CatalogId": account, "Name": db_name + "_subscriber"}, - "Table": {"CatalogId": account, "DatabaseName": db_name + "_subscriber", "Name": "rl_*"}, # type: ignore + "Table": {"CatalogId": account, "DatabaseName": db_name + "_subscriber", "Name": "rl_*"}, # type: ignore } lf_client.grant_permissions( CatalogId=account,