[PRMP-586] Restrict S3 access to specific bucket for document review process

NogaNHS · NogaNHS · commit 0c60d6846ec9 · 2025-11-24T11:30:55.000Z
Signed-off-by: NogaNHS &lt;127490765+NogaNHS@users.noreply.github.com&gt;
diff --git a/infrastructure/iam.tf b/infrastructure/iam.tf
@@ -299,7 +299,7 @@ resource "aws_iam_policy" "s3_document_data_policy_get_document_review_lambda" {
         "Action" : [
           "s3:GetObject",
         ],
-        "Resource" : ["*"]
+        "Resource" : ["${module.ndr-document-pending-review-store.bucket_arn}/*"]
       }
     ]
   })

Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,7 @@ resource "aws_iam_policy" "s3_document_data_policy_get_document_review_lambda" {`
`299`	`299`	`"Action" : [`
`300`	`300`	`"s3:GetObject",`
`301`	`301`	`],`
`302`		`- "Resource" : ["*"]`
	`302`	`+ "Resource" : ["${module.ndr-document-pending-review-store.bucket_arn}/*"]`
`303`	`303`	`}`
`304`	`304`	`]`
`305`	`305`	`})`