create a more compact list of permissions

mattclay · Jan 27, 2022 · 9a43de4 · 9a43de4
1 parent c97ca53
commit 9a43de4
Showing 1 changed file with 10 additions and 13 deletions.
diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml
@@ -17,6 +17,9 @@ Statement:
       - glue:GetConnections
       - rds:DescribeDB*
       - rds:List*
+      - es:Describe*
+      - es:Get*
+      - es:List*
     Resource: "*"
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow
@@ -124,13 +127,20 @@ Statement:
       - rds:CreateDBCluster
       - elasticache:CreateCacheCluster
       - redshift:CreateCluster
+      - es:AddTags
+      - es:CreateDomain
+      - es:DeleteDomain
+      - es:RemoveTags
+      - es:UpdateDomainConfig
+      - es:UpgradeDomain
     Resource:
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:cluster:*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:subnetgroup:*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:parametergroup:*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:securitygroup:*'
       - 'arn:aws:redshift:{{ aws_region }}:{{ aws_account_id }}:cluster:*'
+      - 'arn:aws:es:{{ aws_region }}:{{ aws_account_id }}:domain:*'
   # This allows AWS Services to automatically create their Default Service Linked Roles
   # These have fixed policies and can only be assumed by the service itself.
   - Sid: AllowServiceLinkedRoleCreation
@@ -183,16 +193,3 @@ Statement:
       - kafka:UntagResource
       - kafka:ListClusterOperations
     Resource: "*"
-  - Sid: OpenSearchCluster
-    Effect: Allow
-    Action:
-      - es:AddTags
-      - es:CreateDomain
-      - es:Describe*
-      - es:Get*
-      - es:List*
-      - es:DeleteDomain
-      - es:RemoveTags
-      - es:UpdateDomainConfig
-      - es:UpgradeDomain
-    Resource: "*"