Make policies granular

Author: anajmi07

infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf

@@ -11,7 +11,11 @@ resource "aws_iam_policy" "bedrock_permissions" {
           "bedrock:InvokeModel",
           "bedrock:InvokeModelWithResponseStream"
         ]
-        Resource = "*"
+        Resource = [
+          "arn:aws:bedrock:${data.aws_region.current.name}::foundation-model/anthropic.*",
+          "arn:aws:bedrock:${data.aws_region.current.name}::foundation-model/amazon.*",
+          "arn:aws:bedrock:${data.aws_region.current.name}::foundation-model/meta.*"
+        ]
       }
     ]
   })
@@ -100,7 +104,9 @@ resource "aws_iam_policy" "monitoring_permissions" {
           "xray:GetSamplingRules",
           "xray:GetSamplingTargets"
         ]
-        Resource = "*"
+        Resource = [
+          "arn:aws:xray:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trace/*"
+        ]
       },
       {
         Effect   = "Allow"

infra/modules/knowledge-base/main.tf

@@ -7,7 +7,10 @@ resource "aws_iam_role_policy" "bedrock_kb_sample_kb_model" {
     Version = "2012-10-17"
     Statement = [
       {
-        Action   = ["aoss:*"]
+        Action   = [
+          "aoss:APIAccessAll",
+          "aoss:DashboardsAccessAll"
+        ]
         Effect   = "Allow"
         Resource = [var.opensearch_arn]
       },