🔒 Refactor AP Service Role Policy

[julialawrence]

User Story

Cut down the number of permissions in the analytical platform ui service role so it adheres to the principle of least-privilege.

Value / Purpose

The analytical platform UI service role is currently defined with a number of service:* permissions in its policy. This allows us to speed development of a critical piece of work but is not sound security-wise. Before it goes before users, we want to create a usable but secure role.

Useful Contacts

Michael Collins, Julia Lawrence

User Types

AP Ops

Hypothesis

No response

Proposal

Refactor this policy to only allow enough actions to perform APUI functions and remove blanket service permisions:
https://github.com/ministryofjustice/modernisation-platform-environments/blob/98f36ad5f4a2e501a7df60477d4f2a26cebd696f/terraform/environments/analytical-platform-compute/iam-policies.tf#L208

Additional Information

No response

Definition of Done

• Role policy refactored
• Policy tested
• Policy deployed
• Another team member has reviewed
• Tests are green

[github-actions]

This issue is being marked as stale because it has been open for 60 days with no activity. Remove stale label or comment to keep the issue open.

[github-actions]

This issue is being closed because it has been open for a further 7 days with no activity. If this is still a valid issue, please reopen it, Thank you!