Skip to content

Commit

Permalink
Merge pull request #836 from ministryofjustice/SP-1078
Browse files Browse the repository at this point in the history 
SP-1078 - Allow S3 Multi Region Endpoint Control Plane Requests to us-west-2 #minor
  • Loading branch information
@jakemulley
jakemulley authored Nov 7, 2023
2 parents 9a85ea3 + 5c3df88 commit a6a653d
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion management-account/terraform/organizations-policy-service-control.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,24 @@ data "aws_iam_policy_document" "deny_non_eu_non_us_east_1_operations" {
}
}

# Deny anything apart from Network Manager in us-west-2
# Deny anything apart from Network Manager and S3 Global Endpoint Management Operations in us-west-2
statement {
effect = "Deny"
not_actions = [
"networkmanager:*",
"cloudwatch:List*", # To view the Network Manager log group
"cloudwatch:Get*", # To view the Network Manager log group
"cloudwatch:Describe*", # To view the Network Manager log group
"s3:CreateMultiRegionAccessPoint",
"s3:DeleteMultiRegionAccessPoint",
"s3:DescribeMultiRegionAccessPointOperation",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"s3:GetMultiRegionAccessPointRoutes",
"s3:ListMultiRegionAccessPoints",
"s3:PutMultiRegionAccessPointPolicy",
"s3:SubmitMultiRegionAccessPointRoutes"
]
resources = ["*"]

Expand Down

0 comments on commit a6a653d

Please sign in to comment.