@@ -78,23 +78,17 @@ resource "aws_iam_policy" "api_infrastructure" {
7878 " kms:ScheduleKeyDeletion"
7979 " kms:PutKeyPolicy"
8080 " kms:Encrypt"
81- " kms:ListAliases"
82- " kms:TagResource"
83- " kms:GenerateDataKey"
8481
8582 # Cloudwatch permissions
8683 " logs:Describe*"
8784 " logs:ListTagsForResource"
8885 " logs:PutRetentionPolicy"
8986 " logs:AssociateKmsKey"
90- " logs:CreateLogGroup"
9187
9288 # EC2 permissions
9389 " ec2:Describe*"
9490 " ec2:CreateTags"
9591 " ec2:CreateNetworkAclEntry"
96- " ec2:CreateNetworkAcl"
97- " ec2:AssociateRouteTable"
9892
9993 # IAM permissions (scoped to resources with specific path prefix)
10094 " iam:Get*"
@@ -106,45 +100,21 @@ resource "aws_iam_policy" "api_infrastructure" {
106100 " iam:Delete*"
107101 " iam:PutRolePermissionsBoundary"
108102 " iam:PutRolePolicy"
109- " iam:CreateRole"
110- " iam:TagRole"
111- " iam:PassRole"
112103
113104 # ssm
114105 " ssm:GetParameter"
115106 " ssm:GetParameters"
116107 " ssm:DescribeParameters"
117108 " ssm:ListTagsForResource"
118- " ssm:PutParameter"
119- " ssm:AddTagsToResource"
120109
121110 # acm
122111 " acm:ListCertificates"
123112 " acm:DescribeCertificate"
124113 " acm:GetCertificate"
125114 " acm:ListTagsForCertificate"
126- " acm:RequestCertificate"
127- " acm:AddTagsToCertificate"
128- " acm:ImportCertificate"
129-
130- # ec2 - VPC
131- " ec2:CreateVpc"
132- " ec2:ModifyVpcAttribute"
133- " ec2:DeleteVpc"
134- " ec2:CreateRouteTable"
135- " ec2:CreateSubnet"
136- " ec2:RevokeSecurityGroupIngress"
137- " ec2:CreateSecurityGroup"
138- " ec2:RevokeSecurityGroupEgress"
139- " ec2:AuthorizeSecurityGroupIngress"
140- " ec2:AuthorizeSecurityGroupEgress"
141- " ec2:CreateVpcEndpoint"
142- " ec2:CreateFlowLogs"
143- " ec2:ReplaceNetworkAclAssociation"
144- " ec2:DeleteSecurityGroup"
145- " ec2:DeleteNetworkAcl"
146115 ],
147116
117+
148118 Resource = " *"
149119 }
150120 ]
0 commit comments