module "least_privilege_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "application-service-policy"
policy_type = "iam"
# Only allow services the application actually needs
allowed_services = [
"s3",
"dynamodb",
"sqs",
"sns",
"logs",
"xray"
]
# Explicitly deny dangerous actions
denied_actions = [
# IAM escalation prevention
"iam:*",
"sts:AssumeRole",
# Data exfiltration prevention
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucket",
# Infrastructure modification prevention
"dynamodb:DeleteTable",
"sqs:DeleteQueue",
"sns:DeleteTopic",
# Audit log tampering prevention
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
]
# Restrict to specific resources
resource_restrictions = {
s3 = [
"arn:aws:s3:::myapp-data-${var.environment}/*"
]
dynamodb = [
"arn:aws:dynamodb:*:*:table/myapp-*"
]
sqs = [
"arn:aws:sqs:*:*:myapp-*"
]
sns = [
"arn:aws:sns:*:*:myapp-*"
]
}
}
# Attach to application service role
resource "aws_iam_role_policy_attachment" "app_service" {
role = aws_iam_role.app_service.name
policy_arn = module.least_privilege_policy.policy_arn
}