#------------------------------------------------------------------------------------------ # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole #------------------------------------------------------------------------------------------ data "aws_iam_policy_document" "mdr_terraformer" { # checkov:skip=CKV_AWS_107: IAM policies does not allow credentials exposure for ECR # checkov:skip=CKV_AWS_108: no data exfiltration allowed; resource constraints implemented # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment # checkov:skip=CKV_AWS_110: IAM policies does not allow privilege escalation # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment statement { sid = "AllowEverythingButAssumeRoleAndPassRole" effect = "Allow" not_actions = [ "sts:AssumeRole", "iam:PassRole", ] resources = [ "*" ] } statement { sid = "AllowPassRole" effect = "Allow" actions = [ "iam:PassRole", ] # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions resources = [ "arn:${local.aws_partition}:iam::${local.aws_account}:role/*" ] } statement { sid = "AssumeThisRoleInOtherAccounts" effect = "Allow" actions = [ "sts:AssumeRole" ] # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions resources = [ "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer", # These two are the legacy roles in the older AWS accounts. # Adding them in the hope we'll be able to get AssumeRole from # one central place to everything... "arn:${local.aws_partition}:iam::*:role/mdr_powerusers", "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins", ] } } resource "aws_iam_policy" "mdr_terraformer" { name = "mdr_terraformer" path = "/user/" policy = data.aws_iam_policy_document.mdr_terraformer.json }