eli-279 restricted github actions policies to named resources, where possible, and whittled down <action>*'s

Author: eddalmond1

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -31,9 +31,133 @@ resource "aws_iam_policy" "terraform_state" {
   )
 }
 
+# Lambda Management Policy
+resource "aws_iam_policy" "lambda_management" {
+  name        = "lambda-management"
+  description = "Policy granting permissions to manage Lambda functions for this stack"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "lambda:CreateFunction",
+          "lambda:UpdateFunctionCode",
+          "lambda:UpdateFunctionConfiguration",
+          "lambda:DeleteFunction",
+          "lambda:GetFunction",
+          "lambda:GetFunctionConfiguration",
+          "lambda:GetFunctionCodeSigningConfig",
+          "lambda:ListVersionsByFunction",
+          "lambda:TagResource",
+          "lambda:UntagResource",
+          "lambda:ListTags",
+          "lambda:PublishVersion",
+          "lambda:CreateAlias",
+          "lambda:UpdateAlias",
+          "lambda:DeleteAlias",
+          "lambda:ListAliases",
+          "lambda:AddPermission",
+          "lambda:RemovePermission",
+          "lambda:GetPolicy"
+        ],
+        Resource = [
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "lambda-management" })
+}
+
+# DynamoDB Management Policy
+resource "aws_iam_policy" "dynamodb_management" {
+  name        = "dynamodb-management"
+  description = "Policy granting permissions to manage DynamoDB tables for this stack"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "dynamodb:DescribeTimeToLive",
+          "dynamodb:DescribeTable",
+          "dynamodb:DescribeContinuousBackups",
+          "dynamodb:ListTables",
+          "dynamodb:DeleteTable",
+          "dynamodb:CreateTable"
+        ],
+        Resource = [
+          "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table:*eligibility_datastore"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "dynamodb-management" })
+}
+
+# S3 Management Policy
+resource "aws_iam_policy" "s3_management" {
+  name        = "s3-management"
+  description = "Policy granting permissions to manage S3 buckets"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:GetLifecycleConfiguration",
+          "s3:PutLifecycleConfiguration",
+          "s3:GetBucketVersioning",
+          "s3:GetEncryptionConfiguration",
+          "s3:PutEncryptionConfiguration",
+          "s3:GetBucketPolicy",
+          "s3:GetBucketObjectLockConfiguration",
+          "s3:GetBucketLogging",
+          "s3:GetReplicationConfiguration",
+          "s3:GetBucketWebsite",
+          "s3:GetBucketRequestPayment",
+          "s3:GetBucketCORS",
+          "s3:GetBucketAcl",
+          "s3:PutBucketAcl",
+          "s3:GetAccelerateConfiguration",
+          "s3:ListBucket",
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:GetBucketLocation",
+          "s3:GetBucketPublicAccessBlock",
+          "s3:PutBucketCORS",
+          "s3:CreateBucket",
+          "s3:DeleteBucket"
+        ],
+        Resource = [
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules/*",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit/*",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit-access-logs/*"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "s3-management" })
+}
+
 # API Infrastructure Management Policy
 resource "aws_iam_policy" "api_infrastructure" {
-  #checkov:skip=CKV_AWS_287 Ensure IAM policies does not allow credentials exposure
   #checkov:skip=CKV_AWS_355 Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
   #checkov:skip=CKV_AWS_288 Ensure IAM policies does not allow data exfiltration
   #checkov:skip=CKV_AWS_289 Ensure IAM policies does not allow permissions management / resource exposure without constraints
@@ -50,34 +174,6 @@ resource "aws_iam_policy" "api_infrastructure" {
       {
         Effect = "Allow",
         Action = [
-          # Lambda permissions
-          "lambda:*",
-
-          # DynamoDB permissions
-          "dynamodb:*",
-
-          # API Gateway permissions
-          "apigateway:*",
-
-          # S3 permissions
-          "s3:*",
-
-          # KMS permissions
-          "kms:List*",
-          "kms:Describe*",
-          "kms:GetKeyPolicy*",
-          "kms:GetKeyRotationStatus",
-          "kms:Decrypt*",
-          "kms:DeleteAlias",
-          "kms:UpdateKeyDescription",
-          "kms:CreateGrant",
-          "kms:CreateAlias",
-          "kms:TagResource",
-          "kms:CreateKey",
-          "kms:EnableKeyRotation",
-          "kms:ScheduleKeyDeletion",
-          "kms:PutKeyPolicy",
-          "kms:Encrypt",
 
           # Cloudwatch permissions
           "logs:Describe*",
@@ -95,11 +191,14 @@ resource "aws_iam_policy" "api_infrastructure" {
           "iam:GetPolicy*",
           "iam:GetRole*",
           "iam:List*",
-          "iam:Create*",
-          "iam:Update*",
-          "iam:Delete*",
-          "iam:PutRolePermissionsBoundary",
+          "iam:CreateRole",
+          "iam:DeleteRole",
+          "iam:UpdateRole",
           "iam:PutRolePolicy",
+          "iam:PutRolePermissionsBoundary",
+          "iam:AttachRolePolicy",
+          "iam:DetachRolePolicy",
+          "iam:CreatePolicyVersion",
 
           # ssm
           "ssm:GetParameter",
@@ -131,8 +230,8 @@ resource "aws_iam_policy" "api_infrastructure" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid    = "OidcAssumeRoleWithWebIdentity"
-    effect = "Allow"
+    sid     = "OidcAssumeRoleWithWebIdentity"
+    effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -145,13 +244,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values = ["sts.amazonaws.com"]
+      values   = ["sts.amazonaws.com"]
     }
   }
 }
@@ -166,3 +265,20 @@ resource "aws_iam_role_policy_attachment" "api_infrastructure" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.api_infrastructure.arn
 }
+
+resource "aws_iam_role_policy_attachment" "lambda_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.lambda_management.arn
+}
+
+resource "aws_iam_role_policy_attachment" "dynamodb_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.dynamodb_management.arn
+}
+
+resource "aws_iam_role_policy_attachment" "s3_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.s3_management.arn
+}
+
+data "aws_caller_identity" "current" {}