Skip to content

Commit

Permalink
Merge pull request #8371 from ministryofjustice/feature/6170-prevent-…
Browse files Browse the repository at this point in the history 
…passrole-of-infrastructure-access-role

Denying `iam:PassRole` of infrastructure access roles
  • Loading branch information
@dms1981
dms1981 authored Oct 31, 2024
2 parents a7c73d6 + bd03166 commit c1cb12c
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions terraform/environments/bootstrap/member-bootstrap/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,12 @@ data "aws_iam_policy_document" "member-access" {
]
resources = ["arn:aws:iam::*:user/cicd-member-user"]
}

statement {
actions = ["iam:PassRole"]
effect = "Deny"
resources = ["arn:aws:iam::*:role/MemberInfrastructureAccess"]
}
}

resource "aws_iam_policy" "member-access" {
Expand Down Expand Up @@ -390,6 +396,12 @@ data "aws_iam_policy_document" "member-access-us-east" {
]
resources = ["*"]
}

statement {
actions = ["iam:PassRole"]
effect = "Deny"
resources = ["arn:aws:iam::*:role/MemberInfrastructureAccessUSEast"]
}
}

resource "aws_iam_policy" "member-access-us-east" {
Expand Down

0 comments on commit c1cb12c

Please sign in to comment.