Fixes Dumb IAM Policies

Removes `s3:HeadBucket` and `s3:ListObject*`, as they aren't real
things.
Changes `s3:ListBuckets` to `s3:ListBucket` since there's no 's'.

To be tagged v4.4.4

base/generic_s3_bucket_with_role/iam.tf

@@ -46,7 +46,6 @@ resource "aws_iam_role" "role" {
 #    effect = "Allow"
 #    actions = [
 #      "s3:ListAllMyBuckets",
-#      "s3:HeadBucket",
 #    ]
 #    resources = [ "*" ]
 #  }
@@ -70,7 +69,6 @@ data "aws_iam_policy_document" "policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListAllMyBuckets",
-      "s3:HeadBucket",
     ]
     resources = ["*"]
   }
@@ -84,9 +82,7 @@ data "aws_iam_policy_document" "policy_doc" {
       "s3:ListBucketVersions",
       "s3:GetBucketLogging",
       "s3:RestoreObject",
-      "s3:ListBuckets",
-      "s3:ListObjects",
-      "s3:ListObjectsV2",
+      "s3:ListBucket",
       "s3:GetBucketVersioning",
       "s3:PutObject",
       "s3:GetObject",
@@ -107,7 +103,7 @@ data "aws_iam_policy_document" "policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListBucketVersions",
-      "s3:ListBuckets",
+      "s3:ListBucket",
       "s3:GetBucketVersioning",
       "s3:GetObject",
       "s3:GetBucketCORS",

base/github/instance_profile.tf

@@ -25,7 +25,6 @@ data "aws_iam_policy_document" "github_instance_policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListAllMyBuckets",
-      "s3:HeadBucket",
     ]
     resources = ["*"]
   }
@@ -40,7 +39,7 @@ data "aws_iam_policy_document" "github_instance_policy_doc" {
       "s3:ListMultipartUploadParts",
       "s3:AbortMultipartUpload",
       "s3:DeleteObject",
-      "s3:ListBuckets",
+      "s3:ListBucket",
       #      "s3:GetLifecycleConfiguration",
       #      "s3:DeleteObjectVersion",
       #      "s3:ListBucketVersions",

base/phantom/instance_profile.tf

@@ -21,7 +21,6 @@ module "instance_profile" {
 #    effect = "Allow"
 #    actions = [
 #      "s3:ListAllMyBuckets",
-#      "s3:HeadBucket",
 #    ]
 #    resources = [ "*" ]
 #  }
@@ -35,7 +34,7 @@ module "instance_profile" {
 #      "s3:ListBucketVersions",
 #      "s3:GetBucketLogging",
 #      "s3:RestoreObject",
-#      "s3:ListBuckets",
+#      "s3:ListBucket",
 #      "s3:GetBucketVersioning",
 #      "s3:PutObject",
 #      "s3:GetObject",
@@ -58,7 +57,7 @@ module "instance_profile" {
 #    effect = "Allow"
 #    actions = [
 #      "s3:ListBucketVersions",
-#      "s3:ListBuckets",
+#      "s3:ListBucket",
 #      "s3:GetBucketVersioning",
 #      "s3:GetObject",
 #      "s3:GetBucketCORS",

base/phantom_s3_bucket/iam_phantom_s3_role.tf

@@ -42,7 +42,6 @@ data "aws_iam_policy_document" "phantom_s3_policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListAllMyBuckets",
-      "s3:HeadBucket",
     ]
     resources = ["*"]
   }
@@ -56,9 +55,7 @@ data "aws_iam_policy_document" "phantom_s3_policy_doc" {
       "s3:ListBucketVersions",
       "s3:GetBucketLogging",
       "s3:RestoreObject",
-      "s3:ListBuckets",
-      "s3:ListObjects",
-      "s3:ListObjectsV2",
+      "s3:ListBucket",
       "s3:GetBucketVersioning",
       "s3:PutObject",
       "s3:GetObject",
@@ -79,7 +76,7 @@ data "aws_iam_policy_document" "phantom_s3_policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListBucketVersions",
-      "s3:ListBuckets",
+      "s3:ListBucket",
       "s3:GetBucketVersioning",
       "s3:GetObject",
       "s3:GetBucketCORS",

base/splunk_servers/app_s3_bucket/iam_splunk_apps_s3_role.tf

@@ -59,7 +59,6 @@ data "aws_iam_policy_document" "splunk_apps_s3_policy_doc" {
     effect = "Allow"
     actions = [
       "s3:ListAllMyBuckets",
-      "s3:HeadBucket",
     ]
     resources = ["*"]
   }

base/splunk_servers/indexer_cluster/instance_profile_indexers.tf

@@ -21,7 +21,6 @@ data "aws_iam_policy_document" "instance_policy_doc_idx" {
     effect = "Allow"
     actions = [
       "s3:ListAllMyBuckets",
-      "s3:HeadBucket",
     ]
     resources = ["*"]
   }
@@ -35,7 +34,7 @@ data "aws_iam_policy_document" "instance_policy_doc_idx" {
       "s3:ListBucketVersions",
       "s3:GetBucketLogging",
       "s3:RestoreObject",
-      "s3:ListBuckets",
+      "s3:ListBucket",
       "s3:GetBucketVersioning",
       "s3:PutObject",
       "s3:GetObject",

submodules/iam/bootstrap_mdradmin_policies/policy-mdradmin_tfstate_setup.tf

@@ -63,22 +63,6 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
       ]
     }
   }
-  statement {
-    sid = "S3AllResources"
-    actions = [
-      "s3:HeadBucket"
-    ]
-    resources = [
-      "*"
-    ]
-    condition {
-      test     = "BoolIfExists"
-      variable = "aws:MultiFactorAuthPresent"
-      values = [
-        true
-      ]
-    }
-  }
   statement {
     sid = "S3ManageStateBucket"
     actions = [