diff --git a/modules/backup/iam.tf b/modules/backup/iam.tf index 6f36e87..b11c3db 100644 --- a/modules/backup/iam.tf +++ b/modules/backup/iam.tf @@ -54,20 +54,7 @@ data "aws_iam_policy_document" "graphdb_s3_key_admin_role_permissions" { "kms:EnableKeyRotation", "kms:ListResourceTags", "kms:ScheduleKeyDeletion", - "kms:DisableKeyRotation" - ] - - resources = [ - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*" - ] - } - - statement { - effect = "Allow" - - actions = [ - "kms:ListAliases", + "kms:DisableKeyRotation", "tag:GetResources" ] diff --git a/modules/graphdb/iam.tf b/modules/graphdb/iam.tf index cdefef34..4daa5b2 100644 --- a/modules/graphdb/iam.tf +++ b/modules/graphdb/iam.tf @@ -395,20 +395,6 @@ data "aws_iam_policy_document" "graphdb_ebs_key_admin_role_permissions" { "tag:GetResources" ] - resources = [ - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*" - ] - } - - statement { - effect = "Allow" - - actions = [ - "kms:ListAliases", - "tag:GetResources" - ] - resources = [ "*" ] @@ -484,20 +470,7 @@ data "aws_iam_policy_document" "graphdb_param_store_key_admin_role_permissions" "kms:EnableKeyRotation", "kms:ListResourceTags", "kms:ScheduleKeyDeletion", - "kms:DisableKeyRotation" - ] - - resources = [ - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*" - ] - } - - statement { - effect = "Allow" - - actions = [ - "kms:ListAliases", + "kms:DisableKeyRotation", "tag:GetResources" ] diff --git a/modules/monitoring/iam.tf b/modules/monitoring/iam.tf index f7630a7..4f36b40 100644 --- a/modules/monitoring/iam.tf +++ b/modules/monitoring/iam.tf @@ -53,19 +53,7 @@ data "aws_iam_policy_document" "graphdb_parameter_store_key_admin_role_permissio "kms:EnableKeyRotation", "kms:ListResourceTags", "kms:ScheduleKeyDeletion", - "kms:DisableKeyRotation" - ] - - resources = [ - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/*" - ] - } - statement { - effect = "Allow" - - actions = [ - "kms:ListAliases", + "kms:DisableKeyRotation", "tag:GetResources" ]