Merge pull request #283 from NHSDigital/feature/eja-eli-385-remove-wildcard-resource-and-passrole-permissions

eli-385 finessing github permissions

Author: eddalmond1

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -6,35 +6,53 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
     effect = "Allow"
 
     actions = [
-      "acm:*",
-      "application-autoscaling:*",
-      "apigateway:*",
-      "cloudtrail:*",
-      "cloudwatch:*",
-      "config:*",
-      "dynamodb:*",
-      "ec2:*",
-      "events:*",
-      "firehose:*",
-      "glue:*",
-      "health:*",
-      "iam:*",
-      "kms:*",
-      "lambda:*",
-      "logs:*",
-      "network-firewall:*",
-      "pipes:*",
-      "s3:*",
-      "schemas:*",
-      "sns:*",
-      "servicequotas:*",
-      "ssm:*",
-      "states:*",
-      "support:*",
-      "sqs:*",
-      "tag:*",
-      "trustedadvisor:*",
-      "xray:*"
+      # DynamoDB - table operations for Lambda and external write roles
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:DeleteItem",
+      "dynamodb:BatchWriteItem",
+
+      # S3 - bucket and object operations for Lambda and Firehose
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:ListBucketMultipartUploads",
+
+      # KMS - encryption/decryption for DynamoDB and S3
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+
+      # CloudWatch Logs - Lambda execution and Firehose logging
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+
+      # EC2 - VPC access for Lambda (from AWSLambdaVPCAccessExecutionRole)
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+      "ec2:AttachNetworkInterface",
+      "ec2:DetachNetworkInterface",
+
+      # Kinesis Firehose - Lambda writing audit data
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch",
+
+      # X-Ray - Lambda tracing
+      "xray:PutTraceSegments",
+      "xray:PutTelemetryRecords"
     ]
 
     resources = ["*"]

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -163,6 +163,8 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup/*"
         ]
       }
     ]
@@ -196,20 +198,62 @@ resource "aws_iam_policy" "api_infrastructure" {
           # ACM for certs
           "acm:DescribeCertificate",
           "acm:GetCertificate",
-          "acm:ListCertificates",
-          # S3 for mTLS truststore
-          "s3:GetObject",
-          # CloudWatch Logs for logging
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:PutLogEvents",
-          # IAM PassRole for logging role association (if needed)
-          "iam:PassRole"
+          "acm:ListCertificates"
 
         ],
         Resource = "*"
         #checkov:skip=CKV_AWS_289: Actions require wildcard resource
       },
+      {
+        Effect = "Allow",
+        Action = [
+          # CloudWatch Logs creation and management
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = [
+          # VPC Flow Logs
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/vpc/*",
+          # Lambda function logs
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*",
+          # API Gateway logs
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
+          # Kinesis Firehose logs
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          # IAM PassRole for specific service roles only
+          "iam:PassRole"
+        ],
+        Resource = [
+          # Lambda execution roles
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/eligibility_lambda-role*",
+          # API Gateway CloudWatch logging role
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-api-gateway-*-role",
+          # VPC Flow Logs role
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/vpc-flow-logs-role*",
+          # EventBridge to Firehose role
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/eventbridge-firehose-role*",
+          # Kinesis Firehose S3 backup roles
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*firehose*role*",
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*"
+        ],
+        Condition = {
+          StringEquals = {
+            "iam:PassedToService" = [
+              "lambda.amazonaws.com",
+              "apigateway.amazonaws.com",
+              "vpc-flow-logs.amazonaws.com",
+              "events.amazonaws.com",
+              "firehose.amazonaws.com"
+            ]
+          }
+        }
+      },
       {
         Effect = "Allow",
         Action = [
@@ -299,24 +343,22 @@ resource "aws_iam_policy" "kms_creation" {
       {
         Effect = "Allow",
         Action = [
+          # Key creation and listing actions require wildcard resource
           "kms:CreateKey",
-          "kms:DescribeKey",
           "kms:CreateAlias",
           "kms:List*",
-          "kms:ListAliases",
-          "kms:Decrypt",
-          "kms:Encrypt",
-          "kms:ReEncrypt*",
+          "kms:ListAliases"
         ],
         Resource = "*"
       },
       {
         Effect = "Allow",
         Action = [
+          # Key management actions on account-specific keys only
+          "kms:DescribeKey",
           "kms:Describe*",
           "kms:GetKeyPolicy*",
           "kms:GetKeyRotationStatus",
-          "kms:Decrypt*",
           "kms:DeleteAlias",
           "kms:UpdateKeyDescription",
           "kms:CreateGrant",
@@ -325,8 +367,9 @@ resource "aws_iam_policy" "kms_creation" {
           "kms:ScheduleKeyDeletion",
           "kms:PutKeyPolicy",
           "kms:Encrypt",
-          "kms:TagResource",
-          "kms:GenerateDataKey",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey"
         ],
         Resource = [
           "arn:aws:kms:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:key/*",