Merge pull request #1818 from alphagov/sengi/powerusers-only-change-o…

…wn-keys `poweruser` roles should only allow rotating the user's own keys.
alphagov · Feb 13, 2024 · 55a3b49 · 55a3b49
2 parents 5c95aa6 + 0ad58c9
commit 55a3b49
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/terraform/projects/infra-security/main.tf b/terraform/projects/infra-security/main.tf
@@ -260,9 +260,7 @@ data "aws_iam_policy_document" "allow-iam-key-rotation" {
       "iam:ListAccessKeys",
       "iam:UpdateAccessKey",
     ]
-
-    effect    = "Allow"
-    resources = ["*"]
+    resources = ["arn:aws:iam::*:user/&{aws:username}"]
   }
 }