Skip to content

[Issue #332] Remove unused AWS services from GitHub Actions IAM permissions#9002

Open
sean-navapbc wants to merge 2 commits intomainfrom
fix/issue-332-reduce-gha-iam-permissions
Open

[Issue #332] Remove unused AWS services from GitHub Actions IAM permissions#9002
sean-navapbc wants to merge 2 commits intomainfrom
fix/issue-332-reduce-gha-iam-permissions

Conversation

@sean-navapbc
Copy link
Collaborator

@sean-navapbc sean-navapbc commented Mar 11, 2026

Summary

  • Audited all 36 AWS services in the GitHub Actions IAM policy against actual Terraform resource usage
  • Removed 9 services that have no corresponding Terraform resources, reducing to 27 services
  • Follows least-privilege principles for GitHub Actions OIDC role

Services removed

Service Reason
autoscaling EC2 Auto Scaling not used; only application-autoscaling is used
dynamodb Only used for Terraform state locks, being replaced by S3 native locking
elasticbeanstalk Not used; ECS is the container platform
mobiletargeting No Pinpoint resources in Terraform
pipes No EventBridge Pipes resources in Terraform
route53domains No domain registration resources in Terraform
schemas No EventBridge Schemas resources in Terraform
servicediscovery No Cloud Map resources in Terraform
waf-regional Only WAFv2 is used, not legacy WAF Regional

Test plan

  • Verify terraform plan shows expected IAM policy changes for accounts layer
  • Apply to a non-prod account first and verify GitHub Actions workflows still pass
  • Monitor subsequent deploys for any permission errors

Closes #332

Remove 9 unused AWS services from GitHub Actions IAM permissions
00d4152 
Audited all AWS services in the GitHub Actions IAM policy against
actual Terraform resource usage. Removed services with no corresponding
Terraform resources:

- autoscaling (EC2 Auto Scaling - only application-autoscaling is used)
- dynamodb (only used for state locks, being replaced by S3 native locking)
- elasticbeanstalk (not used - ECS is the container platform)
- mobiletargeting (no Pinpoint resources)
- pipes (no EventBridge Pipes resources)
- route53domains (no domain registration resources)
- schemas (no EventBridge Schemas resources)
- servicediscovery (no Cloud Map resources)
- waf-regional (only WAFv2 is used)

Reduces the service list from 36 to 27, following least-privilege principles.

Closes #332
@sean-navapbc sean-navapbc changed the title Remove unused AWS services from GitHub Actions IAM permissions [Issue #332] Remove unused AWS services from GitHub Actions IAM permissions Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prasnava prasnava Awaiting requested review from prasnava

@mdragon mdragon Awaiting requested review from mdragon

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task]: Github actions permissions

1 participant

@sean-navapbc