Skip to content

Scope down S3 IAM permissions to least-privilege (#371)#425

Merged
nickclyde merged 4 commits intomainfrom
nickclyde/371-iam-permissions
Apr 6, 2026
Merged

Scope down S3 IAM permissions to least-privilege (#371)#425
nickclyde merged 4 commits intomainfrom
nickclyde/371-iam-permissions

Conversation

@nickclyde
Copy link
Copy Markdown
Member

@nickclyde nickclyde commented Apr 3, 2026

Summary

Closes #371

Replaces AmazonS3FullAccess with per-Lambda IAM roles scoped to the exact S3 prefixes each function needs:

  • TTC Lambda (ttc_lambda_role): s3:GetObject/s3:HeadObject on eCRMessageV2/ and ValidationResponseV2/; s3:PutObject on TTCAugmentationMetadataV2/ and TTCMetadataV2/; plus OpenSearch access
  • Index Lambda (index_lambda_role): OpenSearch access only — no S3 permissions (it doesn't use S3)
  • Augmentation Lambda (augmentation_lambda_role): s3:PutObject on AugmentationEICRV2/ and AugmentationMetadataV2/ only — no OpenSearch access

Uses moved blocks for the TTC role rename so existing deployments won't see a destroy/recreate cycle.

Changes

  • terraform/main.tf — Split shared lambda_role into 3 separate roles with scoped inline S3 policies; updated Lambda function role refs and OpenSearch domain access policy
  • terraform/_outputs.tf — Replaced single lambda_role_arn output with per-Lambda outputs
  • terraform/README.md — Updated IAM docs, removed S3 scoping TODO

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.79%. Comparing base (adc944a) to head (4a242a2).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #425   +/-   ##
=======================================
  Coverage   95.78%   95.79%           
=======================================
  Files          42       42           
  Lines        2183     2186    +3     
=======================================
+ Hits         2091     2094    +3     
  Misses         92       92

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

robertandremitchell
robertandremitchell approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@robertandremitchell robertandremitchell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

BradySkylight
BradySkylight approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@BradySkylight BradySkylight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

@nickclyde nickclyde merged commit f2f341b into main Apr 6, 2026
6 checks passed
@nickclyde nickclyde deleted the nickclyde/371-iam-permissions branch April 6, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robertandremitchell robertandremitchell robertandremitchell approved these changes

@BradySkylight BradySkylight BradySkylight approved these changes

@bamader bamader Awaiting requested review from bamader bamader is a code owner

@JNygaard-Skylight JNygaard-Skylight Awaiting requested review from JNygaard-Skylight JNygaard-Skylight is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scope down S3 IAM permissions in Terraform

4 participants

@nickclyde @codecov-commenter @robertandremitchell @BradySkylight