From ac259aa597a0fe7e8a27f0787d2d4c803fd38ad8 Mon Sep 17 00:00:00 2001
From: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Date: Fri, 16 Jan 2026 12:29:28 +0000
Subject: [PATCH 1/2] ELI-577: Refines permissions for preprod to address
 policy size

---
 .../iams_permissions_boundary.tf              | 79 +++++--------------
 1 file changed, 19 insertions(+), 60 deletions(-)

diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index 615072e80..8de082b7e 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -21,8 +21,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # CloudWatch - monitoring and alarms
       "cloudwatch:PutMetricAlarm",
       "cloudwatch:DeleteAlarms",
-      "cloudwatch:DescribeAlarms",
-      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarms*",
       "cloudwatch:ListTagsForResource",
       "cloudwatch:TagResource",
       "cloudwatch:UntagResource",
@@ -30,9 +29,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "cloudwatch:GetMetricWidgetImage",
 
       # DynamoDB - table management
-      "dynamodb:DescribeTimeToLive",
-      "dynamodb:DescribeTable",
-      "dynamodb:DescribeContinuousBackups",
+      "dynamodb:Describe*",
       "dynamodb:ListTables",
       "dynamodb:DeleteTable",
       "dynamodb:CreateTable",
@@ -47,12 +44,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:ModifyVpcBlockPublicAccessOptions",
       "ec2:CreateTags",
       "ec2:DeleteTags",
-      "ec2:CreateNetworkAclEntry",
-      "ec2:DeleteNetworkAclEntry",
-      "ec2:CreateNetworkAcl",
-      "ec2:DeleteNetworkAcl",
+      "ec2:CreateNetworkAcl*",
+      "ec2:DeleteNetworkAcl*",
       "ec2:AssociateRouteTable",
-      "ec2:CreateVpc",
+      "ec2:CreateVpc*",
       "ec2:ModifyVpcAttribute",
       "ec2:DeleteVpc",
       "ec2:CreateRouteTable",
@@ -62,7 +57,6 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:RevokeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
-      "ec2:CreateVpcEndpoint",
       "ec2:CreateFlowLogs",
       "ec2:ReplaceNetworkAclAssociation",
       "ec2:DeleteSecurityGroup",
@@ -93,13 +87,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "firehose:StopDeliveryStreamEncryption",
 
       # IAM - specific role and policy management
-      "iam:GetRole",
-      "iam:GetRolePolicy",
-      "iam:GetPolicy",
-      "iam:GetPolicyVersion",
-      "iam:ListRoles",
+      "iam:GetRole*",
+      "iam:GetPolicy*",
+      "iam:ListRole*",
       "iam:ListPolicies",
-      "iam:ListRolePolicies",
       "iam:ListAttachedRolePolicies",
       "iam:ListPolicyVersions",
       "iam:CreateRole",
@@ -110,10 +101,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
-      "iam:CreatePolicy",
-      "iam:CreatePolicyVersion",
-      "iam:DeletePolicy",
-      "iam:DeletePolicyVersion",
+      "iam:CreatePolicy*",
+      "iam:DeletePolicy*",
       "iam:TagRole",
       "iam:UntagPolicy",
       "iam:PassRole",
@@ -122,13 +111,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
 
       # KMS - encryption key management
       "kms:CreateKey",
-      "kms:DescribeKey",
       "kms:Describe*",
       "kms:CreateAlias",
-      "kms:ListKeys",
       "kms:List*",
-      "kms:ListAliases",
-      "kms:GetKeyPolicy",
       "kms:GetKeyPolicy*",
       "kms:GetKeyRotationStatus",
       "kms:DeleteAlias",
@@ -140,19 +125,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "kms:ScheduleKeyDeletion",
       "kms:PutKeyPolicy",
       "kms:Encrypt",
-      "kms:Decrypt",
       "kms:Decrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey",
 
       # Lambda - function management
       "lambda:CreateFunction",
-      "lambda:UpdateFunctionCode",
-      "lambda:UpdateFunctionConfiguration",
+      "lambda:UpdateFunction*",
       "lambda:DeleteFunction",
-      "lambda:GetFunction",
-      "lambda:GetFunctionConfiguration",
-      "lambda:GetFunctionCodeSigningConfig",
+      "lambda:GetFunction*",
       "lambda:ListVersionsByFunction",
       "lambda:TagResource",
       "lambda:UntagResource",
@@ -179,37 +160,18 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
       "s3:PutLifecycleConfiguration",
-      "s3:GetBucketVersioning",
       "s3:GetEncryptionConfiguration",
       "s3:PutEncryptionConfiguration",
-      "s3:GetBucketPolicy",
-      "s3:GetBucketObjectLockConfiguration",
-      "s3:GetBucketLogging",
       "s3:GetReplicationConfiguration",
-      "s3:GetBucketWebsite",
-      "s3:GetBucketRequestPayment",
-      "s3:GetBucketCORS",
-      "s3:GetBucketAcl",
-      "s3:PutBucketAcl",
       "s3:GetAccelerateConfiguration",
       "s3:ListBucket",
-      "s3:GetObject",
-      "s3:PutObject",
+      "s3:GetObject*",
+      "s3:PutObject*",
       "s3:DeleteObject",
-      "s3:GetBucketLocation",
-      "s3:GetBucketPublicAccessBlock",
-      "s3:PutBucketCORS",
+      "s3:GetBucket*",
       "s3:CreateBucket",
       "s3:DeleteBucket",
-      "s3:GetBucketTagging",
-      "s3:PutBucketPolicy",
-      "s3:PutBucketVersioning",
-      "s3:PutBucketPublicAccessBlock",
-      "s3:PutBucketLogging",
-      "s3:GetObjectTagging",
-      "s3:PutObjectTagging",
-      "s3:GetObjectVersion",
-      "s3:PutBucketTagging",
+      "s3:PutBucket*",
 
       # SNS - notification management
       "sns:CreateTopic",
@@ -222,14 +184,12 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "sns:UntagResource",
       "sns:Subscribe",
       "sns:Unsubscribe",
-      "sns:ListSubscriptions",
-      "sns:ListSubscriptionsByTopic",
+      "sns:ListSubscriptions*",
       "sns:GetSubscriptionAttributes",
 
       # SSM - parameter management
       "ssm:DescribeParameters",
-      "ssm:GetParameter",
-      "ssm:GetParameters",
+      "ssm:GetParameter*",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
       "ssm:AddTagsToResource",
@@ -237,8 +197,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # WAFv2 - web application firewall management
       "wafv2:CreateWebACL",
       "wafv2:DeleteWebACL",
-      "wafv2:GetWebACL",
-      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebACL*",
       "wafv2:UpdateWebACL",
       "wafv2:ListWebACLs",
       "wafv2:TagResource",

From bcb22b060a37a20a8784813a8cea1e7603d6a013 Mon Sep 17 00:00:00 2001
From: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Date: Fri, 16 Jan 2026 15:00:54 +0000
Subject: [PATCH 2/2] ELI-597: Adding metadata to emails for rotation

---
 .../stacks/api-layer/step_functions.tf        | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/infrastructure/stacks/api-layer/step_functions.tf b/infrastructure/stacks/api-layer/step_functions.tf
index 1560584bf..20781651e 100644
--- a/infrastructure/stacks/api-layer/step_functions.tf
+++ b/infrastructure/stacks/api-layer/step_functions.tf
@@ -24,6 +24,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.add_jobs_message
         },
@@ -44,6 +45,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.delete_jobs_message
         },
@@ -59,7 +61,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "WARNING: Secret Rotation Timed Out",
+          Subject     = "Warning: Secret rotation timed out (Environment: ${var.environment})",
           "Message.$" = local.timeout_message
         },
         Next = "Fail_Timeout"
@@ -75,7 +77,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "CRITICAL: Secret Rotation Failed",
+          Subject     = "Critical: Secret Rotation Failed (Environment: ${var.environment})",
           "Message.$" = local.failure_message
         },
         Next = "Fail_Generic"
@@ -91,7 +93,7 @@ locals {
   add_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: PENDING SECRET CREATED
+Action required: AWSPENDING secret created (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -100,20 +102,19 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Add New Hashes" job.
+1. Run the "Add New Hashes (elid_add_new_salt)" job.
 2. Ensure the new hashes are working as expected.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token $$.Task.Token --task-output {{}}
 
 ======================================================
-', $$.Task.Token)
 EOT
 
   delete_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: SECRET AWSPENDING PROMOTED TO AWSCURRENT
+Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -122,24 +123,26 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Delete Old Hashes" job.
+1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
 2. Ensure the old hashes have been removed successfully.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token $$.Task.Token --task-output {{}}
 
 ======================================================
-', $$.Task.Token)
 EOT
 
   failure_message = <<EOT
 States.Format('
 ======================================================
-CRITICAL: ROTATION FAILED
+Critical: Rotation failed (Environment: ${var.environment})
 ======================================================
 
 The workflow encountered an error and could not complete.
 
+CONTEXT:
+Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
 ERROR DETAILS:
 {}
 
@@ -162,7 +165,7 @@ EOT
   timeout_message = <<EOT
 States.Format('
 ======================================================
-WARNING: ROTATION TIMED OUT
+Warning: Rotation timed out (Environment: ${var.environment})
 ======================================================
 
 The manual verification step was not completed within the 24-hour limit.