Skip to content

Commit 7a24dc9

Browse files
anajmi07athewsey
anajmi07
authored and
athewsey
committed
Limit permissions for service roles
1 parent 1003580 commit 7a24dc9

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,9 @@ resource "aws_iam_policy" "ecr_permissions" {
4545
Action = [
4646
"ecr:GetAuthorizationToken"
4747
]
48-
Resource = "*"
48+
Resource = [
49+
"arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
50+
]
4951
}
5052
]
5153
})

infra/modules/knowledge-base/main.tf

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,14 @@ resource "aws_iam_role_policy" "bedrock_kb_sample_kb_model" {
88
Statement = [
99
{
1010
Action = [
11-
"aoss:APIAccessAll",
12-
"aoss:DashboardsAccessAll"
11+
"aoss:CreateIndex",
12+
"aoss:DescribeIndex",
13+
"aoss:UpdateIndex",
14+
"aoss:DeleteIndex",
15+
"aoss:WriteDocument",
16+
"aoss:ReadDocument",
17+
"aoss:SearchDocument",
18+
"aoss:DeleteDocument"
1319
]
1420
Effect = "Allow"
1521
Resource = [var.opensearch_arn]

0 commit comments

Comments
 (0)