Restrict access for Lambda role account. (#7)

switchdk · web-flow · commit 145a62fca9c8 · 2022-04-02T10:21:30.000+02:00
* make permissions more granular
* reduce sqs permissions
* formatting
diff --git a/data.tf b/data.tf
@@ -30,3 +30,4 @@ data "aws_s3_bucket" "cloudtrail_bucket" {
   bucket = var.cloudtrail_bucket_name
 }
 
+data "aws_caller_identity" "current" {}
diff --git a/iam.tf b/iam.tf
@@ -26,42 +26,61 @@ resource "aws_iam_role_policy" "lambda_permissions" {
   policy = data.aws_iam_policy_document.lambda_permissions.json
 }
 
-
 data "aws_iam_policy_document" "lambda_permissions" {
   statement {
-    sid = "Logging"
+    sid = "LoggingCreateGroup"
+
+    actions = [
+      "logs:CreateLogGroup"
+    ]
+
+    resources = [
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.func.name}"
+    ]
+  }
+
+  statement {
+    sid = "LoggingStreamPutEvents"
 
     actions = [
-      "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:PutLogEvents"
     ]
 
     resources = [
-      "arn:aws:logs:*:*:*"
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.func.name}:log-stream:*"
     ]
   }
 
   statement {
-    sid = "S3Access"
+    sid = "S3AccessBucket"
 
     actions = [
-      "s3:Get*",
-      "s3:List*",
-      "s3:Describe*",
+      "s3:ListBucket"
     ]
 
     resources = [
-      "${data.aws_s3_bucket.cloudtrail_bucket.arn}/",
-      "${data.aws_s3_bucket.cloudtrail_bucket.arn}/*",
+      "${data.aws_s3_bucket.cloudtrail_bucket.arn}"
+    ]
+  }
+
+  statement {
+    sid = "S3AccessBucketObject"
+
+    actions = [
+      "s3:GetObject"
+    ]
+
+    resources = [
+      "${data.aws_s3_bucket.cloudtrail_bucket.arn}/*"
     ]
   }
 
   statement {
     sid = "SSMAccess"
 
     actions = [
-      "ssm:Get*",
+      "ssm:GetParameter"
     ]
 
     resources = [
@@ -73,12 +92,13 @@ data "aws_iam_policy_document" "lambda_permissions" {
     sid = "SQSAccess"
 
     actions = [
-      "sqs:*",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:ReceiveMessage"
     ]
 
     resources = [
       aws_sqs_queue.bucket_notifications.arn
     ]
   }
-
-}
+}
diff --git a/lambda.tf b/lambda.tf
@@ -25,7 +25,7 @@ resource "aws_lambda_function" "func" {
 
       MESSAGE_FORMAT = var.message_format
 
-      LOG_LEVEL         = "INFO"
+      LOG_LEVEL = "INFO"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -30,3 +30,4 @@ data "aws_s3_bucket" "cloudtrail_bucket" {`
`30`	`30`	`bucket = var.cloudtrail_bucket_name`
`31`	`31`	`}`
`32`	`32`
	`33`	`+data "aws_caller_identity" "current" {}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ resource "aws_lambda_function" "func" {`
`25`	`25`
`26`	`26`	`MESSAGE_FORMAT = var.message_format`
`27`	`27`
`28`		`- LOG_LEVEL = "INFO"`
	`28`	`+ LOG_LEVEL = "INFO"`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`