ELI-577: Refines permissions for preprod to address policy size

Author: shweta-nhs

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -21,18 +21,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # CloudWatch - monitoring and alarms
       "cloudwatch:PutMetricAlarm",
       "cloudwatch:DeleteAlarms",
-      "cloudwatch:DescribeAlarms",
-      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarms*",
       "cloudwatch:ListTagsForResource",
       "cloudwatch:TagResource",
       "cloudwatch:UntagResource",
       "cloudwatch:GetDashboard",
       "cloudwatch:GetMetricWidgetImage",
 
       # DynamoDB - table management
-      "dynamodb:DescribeTimeToLive",
-      "dynamodb:DescribeTable",
-      "dynamodb:DescribeContinuousBackups",
+      "dynamodb:Describe*",
       "dynamodb:ListTables",
       "dynamodb:DeleteTable",
       "dynamodb:CreateTable",
@@ -47,12 +44,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:ModifyVpcBlockPublicAccessOptions",
       "ec2:CreateTags",
       "ec2:DeleteTags",
-      "ec2:CreateNetworkAclEntry",
-      "ec2:DeleteNetworkAclEntry",
-      "ec2:CreateNetworkAcl",
-      "ec2:DeleteNetworkAcl",
+      "ec2:CreateNetworkAcl*",
+      "ec2:DeleteNetworkAcl*",
       "ec2:AssociateRouteTable",
-      "ec2:CreateVpc",
+      "ec2:CreateVpc*",
       "ec2:ModifyVpcAttribute",
       "ec2:DeleteVpc",
       "ec2:CreateRouteTable",
@@ -62,7 +57,6 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:RevokeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
-      "ec2:CreateVpcEndpoint",
       "ec2:CreateFlowLogs",
       "ec2:ReplaceNetworkAclAssociation",
       "ec2:DeleteSecurityGroup",
@@ -93,13 +87,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "firehose:StopDeliveryStreamEncryption",
 
       # IAM - specific role and policy management
-      "iam:GetRole",
-      "iam:GetRolePolicy",
-      "iam:GetPolicy",
-      "iam:GetPolicyVersion",
-      "iam:ListRoles",
+      "iam:GetRole*",
+      "iam:GetPolicy*",
+      "iam:ListRole*",
       "iam:ListPolicies",
-      "iam:ListRolePolicies",
       "iam:ListAttachedRolePolicies",
       "iam:ListPolicyVersions",
       "iam:CreateRole",
@@ -110,10 +101,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
-      "iam:CreatePolicy",
-      "iam:CreatePolicyVersion",
-      "iam:DeletePolicy",
-      "iam:DeletePolicyVersion",
+      "iam:CreatePolicy*",
+      "iam:DeletePolicy*",
       "iam:TagRole",
       "iam:UntagPolicy",
       "iam:PassRole",
@@ -122,13 +111,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
 
       # KMS - encryption key management
       "kms:CreateKey",
-      "kms:DescribeKey",
       "kms:Describe*",
       "kms:CreateAlias",
-      "kms:ListKeys",
       "kms:List*",
-      "kms:ListAliases",
-      "kms:GetKeyPolicy",
       "kms:GetKeyPolicy*",
       "kms:GetKeyRotationStatus",
       "kms:DeleteAlias",
@@ -140,19 +125,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "kms:ScheduleKeyDeletion",
       "kms:PutKeyPolicy",
       "kms:Encrypt",
-      "kms:Decrypt",
       "kms:Decrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey",
 
       # Lambda - function management
       "lambda:CreateFunction",
-      "lambda:UpdateFunctionCode",
-      "lambda:UpdateFunctionConfiguration",
+      "lambda:UpdateFunction*",
       "lambda:DeleteFunction",
-      "lambda:GetFunction",
-      "lambda:GetFunctionConfiguration",
-      "lambda:GetFunctionCodeSigningConfig",
+      "lambda:GetFunction*",
       "lambda:ListVersionsByFunction",
       "lambda:TagResource",
       "lambda:UntagResource",
@@ -179,37 +160,18 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
       "s3:PutLifecycleConfiguration",
-      "s3:GetBucketVersioning",
       "s3:GetEncryptionConfiguration",
       "s3:PutEncryptionConfiguration",
-      "s3:GetBucketPolicy",
-      "s3:GetBucketObjectLockConfiguration",
-      "s3:GetBucketLogging",
       "s3:GetReplicationConfiguration",
-      "s3:GetBucketWebsite",
-      "s3:GetBucketRequestPayment",
-      "s3:GetBucketCORS",
-      "s3:GetBucketAcl",
-      "s3:PutBucketAcl",
       "s3:GetAccelerateConfiguration",
       "s3:ListBucket",
-      "s3:GetObject",
-      "s3:PutObject",
+      "s3:GetObject*",
+      "s3:PutObject*",
       "s3:DeleteObject",
-      "s3:GetBucketLocation",
-      "s3:GetBucketPublicAccessBlock",
-      "s3:PutBucketCORS",
+      "s3:GetBucket*",
       "s3:CreateBucket",
       "s3:DeleteBucket",
-      "s3:GetBucketTagging",
-      "s3:PutBucketPolicy",
-      "s3:PutBucketVersioning",
-      "s3:PutBucketPublicAccessBlock",
-      "s3:PutBucketLogging",
-      "s3:GetObjectTagging",
-      "s3:PutObjectTagging",
-      "s3:GetObjectVersion",
-      "s3:PutBucketTagging",
+      "s3:PutBucket*",
 
       # SNS - notification management
       "sns:CreateTopic",
@@ -222,23 +184,20 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "sns:UntagResource",
       "sns:Subscribe",
       "sns:Unsubscribe",
-      "sns:ListSubscriptions",
-      "sns:ListSubscriptionsByTopic",
+      "sns:ListSubscriptions*",
       "sns:GetSubscriptionAttributes",
 
       # SSM - parameter management
       "ssm:DescribeParameters",
-      "ssm:GetParameter",
-      "ssm:GetParameters",
+      "ssm:GetParameter*",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
       "ssm:AddTagsToResource",
 
       # WAFv2 - web application firewall management
       "wafv2:CreateWebACL",
       "wafv2:DeleteWebACL",
-      "wafv2:GetWebACL",
-      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebACL*",
       "wafv2:UpdateWebACL",
       "wafv2:ListWebACLs",
       "wafv2:TagResource",