From dcaef9bef9d8bc7b4ef06554485a5cf41294d1f2 Mon Sep 17 00:00:00 2001
From: chrisbloe <kris.bloe2@nhs.net>
Date: Tue, 21 Oct 2025 13:50:34 +0100
Subject: [PATCH 1/4] [PRM-562] ProductionSupport IAM policy for targeted Admin
 access

---
 infrastructure/policies.tf | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index 02e63962d..c871843c1 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -40,3 +40,27 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
     Workspace = "core"
   }
 }
+
+resource "aws_iam_policy" "production_support" {
+  count = local.is_production ? 1 : 0
+  name  = "ProductionSupport"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "AWS Transfer Family",
+        Effect = "Allow",
+        Action = [
+          "transfer:CreateUser"
+        ],
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "ProductionSupport"
+    Workspace = "core"
+  }
+}

From 1671f74e708355b512f0f3a17526aa40cff84e89 Mon Sep 17 00:00:00 2001
From: chrisbloe <kris.bloe2@nhs.net>
Date: Tue, 21 Oct 2025 13:55:44 +0100
Subject: [PATCH 2/4] Locking down the resource path

---
 infrastructure/policies.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index c871843c1..4329a1259 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -54,7 +54,7 @@ resource "aws_iam_policy" "production_support" {
           "transfer:CreateUser"
         ],
         Resource = [
-          "*"
+          "arn:aws:transfer:eu-west-2:${data.aws_caller_identity.current.account_id}:*"
         ]
       }
     ]

From 79687ba8e64fed6ad6984a752c977021171c46bf Mon Sep 17 00:00:00 2001
From: chrisbloe <kris.bloe2@nhs.net>
Date: Tue, 21 Oct 2025 14:39:26 +0100
Subject: [PATCH 3/4] Additional permissions

---
 infrastructure/policies.tf | 60 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index 4329a1259..dba33753b 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -48,10 +48,66 @@ resource "aws_iam_policy" "production_support" {
     Version = "2012-10-17",
     Statement = [
       {
-        Sid    = "AWS Transfer Family",
+        Sid    = "AllowListBucketsForConsole",
         Effect = "Allow",
         Action = [
-          "transfer:CreateUser"
+          "s3:ListAllMyBuckets",
+          "s3:GetBucketLocation"
+        ],
+        Resource = [
+          "arn:aws:s3:::*"
+        ]
+      },
+      {
+        Sid    = "AllowListRootFoldersInProdStagingBulkStore",
+        Effect = "Allow",
+        Action = [
+          "s3:ListBucket"
+        ],
+        Resource = [
+          "arn:aws:s3:::prod-staging-bulk-store"
+        ]
+        Condition = {
+          StringEquals = {
+            "s3:delimiter" = "/"
+          }
+          StringEqualsIfExists = {
+            "s3:prefix" = ""
+          }
+        }
+      },
+      {
+        Sid    = "AllowCreateRootFoldersOnlyInProdStagingBulkStore",
+        Effect = "Allow"
+        Action = "s3:PutObject"
+        Resource = "arn:aws:s3:::prod-staging-bulk-store/*"
+        Condition = {
+          StringLike = {
+            "s3:prefix" = "[^/]+/"
+          }
+        }
+      },
+      {
+        Sid    = "ExplicitDenyObjectAccessInProdStagingBulkStore",
+        Effect = "Deny",
+        Action = [
+          "s3:GetObject",
+          "s3:GetObjectVersion",
+          "s3:GetObjectAcl",
+          "s3:GetObjectTagging"
+        ],
+        Resource = [
+          "arn:aws:s3:::prod-staging-bulk-store/*"
+        ]
+      },
+      {
+        Sid    = "AWSTransferFamilyManager",
+        Effect = "Allow",
+        Action = [
+          "transfer:CreateUser",
+          "transfer:Describe*",
+          "transfer:List*",
+          "transfer:TestIdentityProvider",
         ],
         Resource = [
           "arn:aws:transfer:eu-west-2:${data.aws_caller_identity.current.account_id}:*"

From 632513c49e99ab2f679f6473c40fe49a738e2e68 Mon Sep 17 00:00:00 2001
From: chrisbloe <kris.bloe2@nhs.net>
Date: Tue, 21 Oct 2025 14:39:59 +0100
Subject: [PATCH 4/4] Formatting

---
 infrastructure/policies.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index dba33753b..fd1627386 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -77,9 +77,9 @@ resource "aws_iam_policy" "production_support" {
         }
       },
       {
-        Sid    = "AllowCreateRootFoldersOnlyInProdStagingBulkStore",
-        Effect = "Allow"
-        Action = "s3:PutObject"
+        Sid      = "AllowCreateRootFoldersOnlyInProdStagingBulkStore",
+        Effect   = "Allow"
+        Action   = "s3:PutObject"
         Resource = "arn:aws:s3:::prod-staging-bulk-store/*"
         Condition = {
           StringLike = {