Merge pull request #4 from ministryofjustice/permissions

Revisited IAM policy
ministryofjustice · Jul 30, 2018 · 8e87b3a · 8e87b3a
2 parents b7cddb2 + 21b79a8
commit 8e87b3a
Showing 1 changed file with 25 additions and 26 deletions.
diff --git a/main.tf b/main.tf
@@ -45,43 +45,42 @@ resource "aws_iam_access_key" "user" {
 data "aws_iam_policy_document" "policy" {
   statement {
     actions = [
-      "s3:GetBucketTagging",
-      "s3:DeleteObjectVersion",
-      "s3:GetObjectVersionTagging",
+      "s3:GetBucketLocation",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
       "s3:ListBucketVersions",
-      "s3:GetBucketLogging",
-      "s3:RestoreObject",
-      "s3:ReplicateObject",
-      "s3:GetObjectVersionTorrent",
-      "s3:GetObjectAcl",
-      "s3:GetEncryptionConfiguration",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.bucket.id}",
+    ]
+  }
+
+  statement {
+    actions = [
       "s3:AbortMultipartUpload",
-      "s3:GetBucketRequestPayment",
-      "s3:GetObjectVersionAcl",
-      "s3:GetObjectTagging",
-      "s3:PutObjectTagging",
       "s3:DeleteObject",
-      "s3:GetIpConfiguration",
       "s3:DeleteObjectTagging",
-      "s3:ListBucketMultipartUploads",
-      "s3:GetBucketWebsite",
-      "s3:PutObjectVersionTagging",
+      "s3:DeleteObjectVersion",
       "s3:DeleteObjectVersionTagging",
-      "s3:GetBucketVersioning",
-      "s3:GetBucketNotification",
-      "s3:ListMultipartUploadParts",
-      "s3:PutObject",
       "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:GetObjectTagging",
       "s3:GetObjectTorrent",
-      "s3:GetBucketCORS",
-      "s3:GetObjectVersionForReplication",
-      "s3:GetBucketLocation",
-      "s3:ReplicateDelete",
       "s3:GetObjectVersion",
+      "s3:GetObjectVersionAcl",
+      "s3:GetObjectVersionTagging",
+      "s3:GetObjectVersionTorrent",
+      "s3:ListMultipartUploadParts",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:PutObjectTagging",
+      "s3:PutObjectVersionAcl",
+      "s3:PutObjectVersionTagging",
+      "s3:RestoreObject",
     ]
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.bucket.id}",
       "arn:aws:s3:::${aws_s3_bucket.bucket.id}/*",
     ]
   }