skuenzli/create-least-priv-bucket-policy.tf

## create-least-priv-bucket-policy.tf
# Engineers write this
locals {
  administrator_arns = [
    "arn:aws:iam::12345678910:user/ci"
    , "arn:aws:iam::12345678910:user/person1"
  ]

  read_data_arns = [
    "arn:aws:iam::12345678910:user/person1",
    "arn:aws:iam::12345678910:role/appA",
  ]

  write_data_arns = "${local.read_data_arns}"
}

module "declarative_privilege_policy" {
  source        = "k9securityio/tf_s3_bucket//k9policy"
  s3_bucket_arn = "${module.bucket_with_declarative_policy.s3.arn}"

  allow_administer_resource = "${local.administrator_arns}"
  allow_read_data           = "${local.read_data_arns}"
  allow_write_data          = "${local.write_data_arns}"
  # unused: allow_delete_data          = [] (default)
  # unused: allow_use_resource         = [] (default)
}

## generated.least-priv-s3-bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRestrictedAdministerResource",
      "Effect": "Allow",
      "Action": [
        "s3:PutReplicationConfiguration",
        "s3:PutMetricsConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:PutInventoryConfiguration",
        "s3:PutEncryptionConfiguration",
        "s3:PutBucketPublicAccessBlock",
        "s3:PutBucketPolicy",
        "s3:PutBucketObjectLockConfiguration",
        "s3:PutBucketCORS",
        "s3:PutBucketAcl",
        "s3:PutAnalyticsConfiguration",
        "s3:PutAccelerateConfiguration",
        "s3:DeleteBucketWebsite",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucket"
      ],
      "Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d",
      "Principal": {
        "AWS": [
          "arn:aws:iam::12345678910:user/person1",
          "arn:aws:iam::12345678910:user/ci"
        ]
      }
    },
    {
      "Sid": "AllowRestrictedReadData",
      "Effect": "Allow",
      "Action": [
        "s3:ListMultipartUploadParts",
        "s3:ListBucketVersions",
        "s3:ListBucketMultipartUploads",
        "s3:GetObjectVersionTorrent",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectTorrent",
        "s3:GetObjectTagging",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold",
        "s3:GetObjectAcl",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
        "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d"
      ],
      "Principal": {
        "AWS": "*"
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::12345678910:role/appA",
            "arn:aws:iam::12345678910:user/person1"
          ]
        }
      }
    },
    {
      "Sid": "AllowRestrictedWriteData",
      "Effect": "Allow",
      "Action": [
        "s3:RestoreObject",
        "s3:ReplicateTags",
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:PutObjectVersionTagging",
        "s3:PutObjectTagging",
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
      "Principal": {
        "AWS": "*"
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::12345678910:role/appA",
            "arn:aws:iam::12345678910:user/person1"
          ]
        }
      }
    },
    {
      "Sid": "AllowRestrictedDeleteData",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObjectVersionTagging",
        "s3:DeleteObjectVersion",
        "s3:DeleteObjectTagging",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
      "Principal": {
        "AWS": "*"
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": []
        }
      }
    },
    {
      "Sid": "DenyEveryoneElse",
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
        "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d"
      ],
      "Principal": {
        "AWS": "*"
      },
      "Condition": {
        "ArnNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::12345678910:role/appA",
            "arn:aws:iam::12345678910:user/person1",
            "arn:aws:iam::12345678910:user/ci"
          ]
        }
      }
    }
  ]
}
	# Engineers write this
	locals {
	administrator_arns = [
	"arn:aws:iam::12345678910:user/ci"
	, "arn:aws:iam::12345678910:user/person1"
	]

	read_data_arns = [
	"arn:aws:iam::12345678910:user/person1",
	"arn:aws:iam::12345678910:role/appA",
	]

	write_data_arns = "${local.read_data_arns}"
	}

	module "declarative_privilege_policy" {
	source = "k9securityio/tf_s3_bucket//k9policy"
	s3_bucket_arn = "${module.bucket_with_declarative_policy.s3.arn}"

	allow_administer_resource = "${local.administrator_arns}"
	allow_read_data = "${local.read_data_arns}"
	allow_write_data = "${local.write_data_arns}"
	# unused: allow_delete_data = [] (default)
	# unused: allow_use_resource = [] (default)
	}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowRestrictedAdministerResource",
	"Effect": "Allow",
	"Action": [
	"s3:PutReplicationConfiguration",
	"s3:PutMetricsConfiguration",
	"s3:PutLifecycleConfiguration",
	"s3:PutInventoryConfiguration",
	"s3:PutEncryptionConfiguration",
	"s3:PutBucketPublicAccessBlock",
	"s3:PutBucketPolicy",
	"s3:PutBucketObjectLockConfiguration",
	"s3:PutBucketCORS",
	"s3:PutBucketAcl",
	"s3:PutAnalyticsConfiguration",
	"s3:PutAccelerateConfiguration",
	"s3:DeleteBucketWebsite",
	"s3:DeleteBucketPolicy",
	"s3:DeleteBucket"
	],
	"Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d",
	"Principal": {
	"AWS": [
	"arn:aws:iam::12345678910:user/person1",
	"arn:aws:iam::12345678910:user/ci"
	]
	}
	},
	{
	"Sid": "AllowRestrictedReadData",
	"Effect": "Allow",
	"Action": [
	"s3:ListMultipartUploadParts",
	"s3:ListBucketVersions",
	"s3:ListBucketMultipartUploads",
	"s3:GetObjectVersionTorrent",
	"s3:GetObjectVersionTagging",
	"s3:GetObjectVersionForReplication",
	"s3:GetObjectVersionAcl",
	"s3:GetObjectVersion",
	"s3:GetObjectTorrent",
	"s3:GetObjectTagging",
	"s3:GetObjectRetention",
	"s3:GetObjectLegalHold",
	"s3:GetObjectAcl",
	"s3:GetObject"
	],
	"Resource": [
	"arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
	"arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d"
	],
	"Principal": {
	"AWS": "*"
	},
	"Condition": {
	"ArnEquals": {
	"aws:PrincipalArn": [
	"arn:aws:iam::12345678910:role/appA",
	"arn:aws:iam::12345678910:user/person1"
	]
	}
	}
	},
	{
	"Sid": "AllowRestrictedWriteData",
	"Effect": "Allow",
	"Action": [
	"s3:RestoreObject",
	"s3:ReplicateTags",
	"s3:ReplicateObject",
	"s3:ReplicateDelete",
	"s3:PutObjectVersionTagging",
	"s3:PutObjectTagging",
	"s3:PutObjectRetention",
	"s3:PutObjectLegalHold",
	"s3:PutObject",
	"s3:AbortMultipartUpload"
	],
	"Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
	"Principal": {
	"AWS": "*"
	},
	"Condition": {
	"ArnEquals": {
	"aws:PrincipalArn": [
	"arn:aws:iam::12345678910:role/appA",
	"arn:aws:iam::12345678910:user/person1"
	]
	}
	}
	},
	{
	"Sid": "AllowRestrictedDeleteData",
	"Effect": "Allow",
	"Action": [
	"s3:DeleteObjectVersionTagging",
	"s3:DeleteObjectVersion",
	"s3:DeleteObjectTagging",
	"s3:DeleteObject"
	],
	"Resource": "arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
	"Principal": {
	"AWS": "*"
	},
	"Condition": {
	"ArnEquals": {
	"aws:PrincipalArn": []
	}
	}
	},
	{
	"Sid": "DenyEveryoneElse",
	"Effect": "Deny",
	"Action": "s3:*",
	"Resource": [
	"arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d/*",
	"arn:aws:s3:::qm-testenv-testbucket-declarative-policy-0d9b171d"
	],
	"Principal": {
	"AWS": "*"
	},
	"Condition": {
	"ArnNotEquals": {
	"aws:PrincipalArn": [
	"arn:aws:iam::12345678910:role/appA",
	"arn:aws:iam::12345678910:user/person1",
	"arn:aws:iam::12345678910:user/ci"
	]
	}
	}
	}
	]
	}