File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11# Policy document for Permissions boundary
2- data "aws_iam_policy_document" "permissions_boundary " {
2+ data "aws_iam_policy_document" "assumed_role_permissions_boundary " {
33 # checkov:skip=CKV2_AWS_40: Ensure AWS IAM policy does not allow full IAM privileges
44 statement {
55 sid = " RestrictRegion"
@@ -66,10 +66,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
6666}
6767
6868# Permissions Boundary policy
69- resource "aws_iam_policy" "permissions_boundary " {
69+ resource "aws_iam_policy" "assumed_role_permissions_boundary " {
7070 name = " ${ local . stack_name } -${ upper (var. project_name )} -PermissionsBoundary"
7171 description = " Allows access to AWS services in the regions the client uses only"
72- policy = . aws_iam_policy_document . permissions_boundary . json
72+ policy = . aws_iam_policy_document . assumed_role_permissions_boundary . json
7373
7474 tags = merge (
7575 local. tags ,
Load Diff This file was deleted.
Original file line number Diff line number Diff line change @@ -55,13 +55,35 @@ resource "aws_iam_policy" "api_infrastructure" {
5555 # S3 permissions
5656 " s3:*"
5757
58+ # KMS permissions
59+ " kms:List*"
60+ " kms:Describe*"
61+ " kms:GetKeyPolicy*"
62+
63+ # Cloudwatch permissions
64+ " logs:Describe*"
65+
66+ # EC2 permissions
67+ " ec2:Describe*"
68+
5869 # IAM permissions (scoped to resources with specific path prefix)
5970 " iam:Get*"
71+ " iam:GetPolicy*"
72+ " iam:GetRole*"
6073 " iam:List*"
6174 " iam:Create*"
6275 " iam:Update*"
6376 " iam:Delete*"
77+
78+ # ssm
79+ " ssm:GetParameter"
80+ " ssm:GetParameters"
81+
82+ # acm
83+ " acm:ListCertificates"
6484 ],
85+
86+
6587 Resource = " *"
6688 }
6789 ]
Load Diff This file was deleted.
Original file line number Diff line number Diff line change 1+ # Policy document for Permissions boundary
2+ data "aws_iam_policy_document" "permissions_boundary" {
3+ # checkov:skip=CKV2_AWS_40: Ensure AWS IAM policy does not allow full IAM privileges
4+ statement {
5+ sid = " RestrictRegion"
6+ effect = " Allow"
7+
8+ actions =
9+ " acm:*"
10+ " application-autoscaling:*"
11+ " apigateway:*"
12+ " cloudtrail:*"
13+ " cloudwatch:*"
14+ " config:*"
15+ " dynamodb:*"
16+ " ec2:*"
17+ " events:*"
18+ " firehose:*"
19+ " glue:*"
20+ " health:*"
21+ " iam:*"
22+ " kms:*"
23+ " lambda:*"
24+ " logs:*"
25+ " network-firewall:*"
26+ " pipes:*"
27+ " s3:*"
28+ " schemas:*"
29+ " sns:*"
30+ " servicequotas:*"
31+ " ssm:*"
32+ " states:*"
33+ " support:*"
34+ " sqs:*"
35+ " tag:*"
36+ " trustedadvisor:*"
37+ ]
38+
39+ resources = " *"
40+
41+ condition {
42+ test = " StringEquals"
43+ variable = " aws:RequestedRegion"
44+ values = var . default_aws_region ]
45+ }
46+ }
47+
48+ statement {
49+ sid = " DenyPrivEsculationViaIamRoles"
50+ effect = " Deny"
51+ actions = " iam:*"
52+ resources = " *"
53+ condition {
54+ test = " ArnLike"
55+ variable = " iam:PolicyARN"
56+ values = " arn:aws:iam::*:policy/${ upper (var. project_name )} -*"
57+ }
58+ }
59+
60+ statement {
61+ sid = " DenyPrivEsculationViaIamProfiles"
62+ effect = " Deny"
63+ actions = " iam:*"
64+ resources = " arn:aws:iam::*:role/${ upper (var. project_name )} -*"
65+ }
66+ }
67+
68+ # Permissions Boundary policy
69+ resource "aws_iam_policy" "permissions_boundary" {
70+ name = " ${ local . stack_name } -${ upper (var. project_name )} -PermissionsBoundary"
71+ description = " Allows access to AWS services in the regions the client uses only"
72+ policy = . aws_iam_policy_document . permissions_boundary . json
73+
74+ tags = merge (
75+ local. tags ,
76+ {
77+ Stack = " api-layer"
78+ }
79+ )
80+ }
Original file line number Diff line number Diff line change 1+ locals {
2+ stack_name = " iams-developer-roles"
3+ }
You can’t perform that action at this time.
0 commit comments