From d792e97d05f8b828626b033624be32fc6c315928 Mon Sep 17 00:00:00 2001
From: root <root@a35683082012>
Date: Fri, 25 Oct 2024 13:09:02 +0000
Subject: [PATCH] 2.191.0

---
 aws_v2/modules/iam/main.tf            | 9 ++++++++-
 cross-account/CrossAccountPolicy.yaml | 8 +++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/aws_v2/modules/iam/main.tf b/aws_v2/modules/iam/main.tf
index 3f900b0..5f9e5c1 100644
--- a/aws_v2/modules/iam/main.tf
+++ b/aws_v2/modules/iam/main.tf
@@ -315,7 +315,14 @@ resource "aws_iam_role_policy" "policy" {
         {
             "Sid": "RequiredForS3Import",
             "Effect": "Allow",
-            "Action": "s3:ListAllMyBuckets",
+            "Action": [
+                "s3:ListAllMyBuckets",
+                "s3:GetObject",
+                "s3:RestoreObject",
+                "s3:GetObjectTagging",
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
             "Resource": "*"
         },
         {
diff --git a/cross-account/CrossAccountPolicy.yaml b/cross-account/CrossAccountPolicy.yaml
index c7bea61..523b40d 100644
--- a/cross-account/CrossAccountPolicy.yaml
+++ b/cross-account/CrossAccountPolicy.yaml
@@ -35,7 +35,13 @@ Statement:
   - arn:aws:ssm:*::document/AWS-RunPowerShellScript
 - Sid: RequiredForS3Import
   Effect: Allow
-  Action: s3:ListAllMyBuckets
+  Action:
+  - s3:ListAllMyBuckets
+  - s3:GetObject
+  - s3:RestoreObject
+  - s3:GetObjectTagging
+  - s3:ListBucket
+  - s3:GetBucketLocation
   Resource: '*'
 - Sid: RequiredForKmsEncryptedEc2Import
   Effect: Allow