From 55b94ff548bdf4351af0b43c095fe6f550caf36d Mon Sep 17 00:00:00 2001
From: chrisbloe-nhse <151756494+chrisbloe-nhse@users.noreply.github.com>
Date: Tue, 2 Apr 2024 12:48:56 +0100
Subject: [PATCH] Remove DynamoDB Scan capability for ecs task (#249)

Co-authored-by: Kris Bloe <kris.bloe@answerdigital.com>
---
 terraform/iam.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 6fc2209e..d77b9a54 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -186,8 +186,7 @@ resource "aws_iam_role_policy_attachment" "ecs_dynamo_attach" {
 data "aws_iam_policy_document" "transfer-tracker-db-indexes-access" {
   statement {
     actions = [
-      "dynamodb:Query",
-      "dynamodb:Scan"
+      "dynamodb:Query"
     ]
     resources = [
       "arn:aws:dynamodb:${var.region}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.transfer_tracker.name}/index/*"