I have a requirement to restrict access to all regions(except for s3 bucket item modifications) except for eu-west-2. the user can view all regions on the console but their access will be readonly for the most part, apart from being able to modify s3 bucket items. but for a specific region eu-west-2 we would want to allow full access.
the following is what I have come up with so far but am not sure how denying all other access will affect my current statements.
data "aws_iam_policy_document" "developer" {
source_policy_documents = [data.aws_iam_policy.power_user.policy]
statement {
sid = "DoNotAllowAnyOtherRolesOrUsers"
actions = ["iam:*"]
not_resources = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/*"
]
}
statement {
sid = "DenyAssumingOtherRoles"
effect = "Deny"
actions = ["sts:AssumeRole*"]
resources = ["*"]
}
statement {
sid = "DenyLogsModification"
effect = "Deny"
actions = [
"logs:DeleteLogStream",
"logs:DeleteLogGroup",
"logs:PutLogEvents",
]
resources = ["*"]
}
statement {
sid = "DenySecretsRetrieval"
effect = "Deny"
actions = ["secretsmanager:GetSecretValue"]
condition {
test = "Null"
variable = "secretsmanager:ResourceTag/DeveloperAccess"
values = [
"true"
]
}
resources = ["*"]
}
}