github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md (about)

     1  
     2  Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
     3  
     4  ```hcl
     5   resource "aws_iam_role_policy" "test_policy" {
     6   	name = "test_policy"
     7   	role = aws_iam_role.test_role.id
     8   
     9   	policy = data.aws_iam_policy_document.s3_policy.json
    10   }
    11   
    12   resource "aws_iam_role" "test_role" {
    13   	name = "test_role"
    14   	assume_role_policy = jsonencode({
    15   		Version = "2012-10-17"
    16   		Statement = [
    17   		{
    18   			Action = "sts:AssumeRole"
    19   			Effect = "Allow"
    20   			Sid    = ""
    21   			Principal = {
    22   			Service = "s3.amazonaws.com"
    23   			}
    24   		},
    25   		]
    26   	})
    27   }
    28   
    29   data "aws_iam_policy_document" "s3_policy" {
    30     statement {
    31       principals {
    32         type        = "AWS"
    33         identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
    34       }
    35       actions   = ["s3:GetObject"]
    36       resources = [aws_s3_bucket.example.arn]
    37     }
    38   }
    39   
    40  ```
    41  
    42  #### Remediation Links
    43   - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
    44