[PRMT-866] restricted permissions

Author: PedroSoaresNHS

infrastructure/policies.tf

@@ -72,23 +72,34 @@ resource "aws_iam_policy" "transfer_kill_switch" {
   name        = "${terraform.workspace}-transfer-kill-switch"
   description = "Permissions for Transfer kill switch Lambda"
   policy = jsonencode({
-    Version = "2012-10-17"
+    Version = "2012-10-17",
     Statement = [
       {
-        Effect = "Allow"
+        Sid    = "DescribeAndStopTransferServers",
+        Effect = "Allow",
         Action = [
-          "transfer:ListServers",
           "transfer:DescribeServer",
           "transfer:StopServer",
+        ],
+        Resource = [
+          "arn:aws:transfer:${var.region}:${data.aws_caller_identity.current.account_id}:server/*",
         ]
+      },
+      {
+        Sid    = "ListTransferServers",
+        Effect = "Allow",
+        Action = [
+          "transfer:ListServers",
+        ],
         Resource = "*"
       },
       {
-        Effect = "Allow"
+        Sid    = "PublishTransferKillSwitchMetrics",
+        Effect = "Allow",
         Action = [
           "cloudwatch:PutMetricData",
-        ]
-        Resource = "*"
+        ],
+        Resource = "*",
         Condition = {
           StringEquals = {
             "cloudwatch:namespace" = "Custom/TransferKillSwitch"
@@ -97,4 +108,4 @@ resource "aws_iam_policy" "transfer_kill_switch" {
       }
     ]
   })
-}
+}