Skip to content

Commit e574e1e

Browse files
eddalmond1eddalmond1
committed
eli-327 removing duplicated policies
1 parent 2e8f19d commit e574e1e

4 files changed

Lines changed: 19 additions & 28 deletions

File tree

infrastructure/modules/kinesis_firehose/kms.tf

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,6 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
4545
resources = ["*"]
4646
}
4747

48-
# Your existing statements below...
4948
statement {
5049
sid = "AllowFirehoseAccess"
5150
effect = "Allow"
@@ -110,5 +109,3 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
110109
resources = [aws_kms_key.firehose_cmk.arn]
111110
}
112111
}
113-
114-

infrastructure/modules/s3/kms.tf

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -14,21 +14,3 @@ resource "aws_kms_alias" "storage_bucket_cmk" {
1414
name = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.bucket_name}-cmk"
1515
target_key_id = aws_kms_key.storage_bucket_cmk.key_id
1616
}
17-
18-
resource "aws_kms_key_policy" "storage_bucket_cmk" {
19-
key_id = aws_kms_key.storage_bucket_cmk.id
20-
policy = data.aws_iam_policy_document.storage_bucket_cmk.json
21-
}
22-
23-
data "aws_iam_policy_document" "storage_bucket_cmk" {
24-
statement {
25-
sid = "Enable IAM User Permissions for s3 buckets"
26-
effect = "Allow"
27-
principals {
28-
type = "AWS"
29-
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
30-
}
31-
actions = ["kms:*"]
32-
resources = [aws_kms_key.storage_bucket_cmk.arn]
33-
}
34-
}

infrastructure/stacks/api-layer/iam_policies.tf

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -235,7 +235,6 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
235235
actions = ["kms:*"]
236236
resources = ["*"]
237237
}
238-
239238
statement {
240239
sid = "AllowLambdaFullWrite"
241240
effect = "Allow"
@@ -277,9 +276,3 @@ resource "aws_iam_role_policy" "lambda_firehose_policy" {
277276
role = aws_iam_role.eligibility_lambda_role.id
278277
policy = data.aws_iam_policy_document.lambda_firehose_write_policy.json
279278
}
280-
281-
282-
283-
284-
285-

infrastructure/stacks/api-layer/truststore_s3_bucket.tf

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,25 @@ resource "aws_s3_bucket_policy" "truststore" {
1313
}
1414

1515
data "aws_iam_policy_document" "truststore_api_gateway" {
16+
# Deny non-SSL
17+
statement {
18+
sid = "AllowSslRequestsOnly"
19+
actions = ["s3:*"]
20+
effect = "Deny"
21+
resources = [
22+
module.s3_truststore_bucket.storage_bucket_arn,
23+
"${module.s3_truststore_bucket.storage_bucket_arn}/*"
24+
]
25+
principals {
26+
type = "*"
27+
identifiers = ["*"]
28+
}
29+
condition {
30+
test = "Bool"
31+
variable = "aws:SecureTransport"
32+
values = ["false"]
33+
}
34+
}
1635
statement {
1736
sid = "Enable S3 access permissions for API Gateway"
1837
effect = "Allow"

0 commit comments

Comments
 (0)