From 83e1fcbf183725e6d1b9f2b33a823995f7fbe46b Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 28 Aug 2025 15:38:44 +0100 Subject: [PATCH 1/2] Updated external write role with policies for audit copy --- .../stacks/api-layer/iam_policies.tf | 50 ++++++++++++++++++- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 7e4ed0b31..28f8113c3 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -341,6 +341,7 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" { #checkov:skip=CKV_AWS_356: Root user needs full KMS key management #checkov:skip=CKV_AWS_109: Root user needs full KMS key management + # Allow root user to have full control statement { sid = "EnableIamUserPermissions" effect = "Allow" @@ -351,12 +352,20 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" { actions = ["kms:*"] resources = ["*"] } + + # Allow Lambda, Firehose, and external write roles to use the KMS key statement { - sid = "AllowLambdaFullWrite" + sid = "AllowAuditKeyAccess" effect = "Allow" principals { type = "AWS" - identifiers = [aws_iam_role.eligibility_lambda_role.arn, aws_iam_role.eligibility_audit_firehose_role.arn] + identifiers = concat( + [ + aws_iam_role.eligibility_lambda_role.arn, + aws_iam_role.eligibility_audit_firehose_role.arn + ], + aws_iam_role.write_access_role[*].arn + ) } actions = [ "kms:Decrypt", @@ -459,3 +468,40 @@ resource "aws_kms_key_policy" "sns_encryption_key_policy" { ] }) } + +# Policy doc for external write role to read, move, and tag objects in S3 +data "aws_iam_policy_document" "external_s3_read_move_policy_doc" { + statement { + sid = "ListBucket" + actions = [ + "s3:ListBucket", + "s3:ListBucketVersions" + ] + resources = [ + module.s3_audit_bucket.storage_bucket_arn + ] + } + + statement { + sid = "ReadMoveTagObjects" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetObjectTagging", + "s3:PutObjectTagging", + "s3:DeleteObject", + "s3:PutObject" + ] + resources = [ + "${module.s3_audit_bucket.storage_bucket_arn}/*" + ] + } +} + +# Attach external S3 read, move & tagging policy to external write role +resource "aws_iam_role_policy" "external_s3_read_move_policy" { + count = length(aws_iam_role.write_access_role) + name = "S3ReadMoveTagAccess" + role = aws_iam_role.write_access_role[count.index].id + policy = data.aws_iam_policy_document.external_s3_read_move_policy_doc.json +} From 73ea8f14756685c83f956b0256310d60109d7f74 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 28 Aug 2025 15:57:04 +0100 Subject: [PATCH 2/2] Removed s3 delete permissions --- infrastructure/stacks/api-layer/iam_policies.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 28f8113c3..65f144f0a 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -489,7 +489,6 @@ data "aws_iam_policy_document" "external_s3_read_move_policy_doc" { "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:PutObjectTagging", - "s3:DeleteObject", "s3:PutObject" ] resources = [