From 348a4409d67ede42e9c976a8cf99870e19859ab7 Mon Sep 17 00:00:00 2001
From: Brian Helba <brian.helba@kitware.com>
Date: Fri, 31 Jul 2020 09:46:37 -0400
Subject: [PATCH] Use a more granular policy for storage access

---
 modules/storage/main.tf | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/storage/main.tf b/modules/storage/main.tf
index ca5e117..84c410b 100644
--- a/modules/storage/main.tf
+++ b/modules/storage/main.tf
@@ -68,12 +68,17 @@ data "aws_iam_policy_document" "storage_bucket" {
 data "aws_iam_policy_document" "storage_django" {
   statement {
     actions = [
-      # TODO Figure out minimal set of permissions django storages needs for S3
-      "s3:*",
+      "s3:ListBucket",
     ]
-    resources = [
-      aws_s3_bucket.storage.arn,
-      "${aws_s3_bucket.storage.arn}/*",
+    resources = [aws_s3_bucket.storage.arn]
+  }
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:AbortMultipartUpload",
     ]
+    resources = ["${aws_s3_bucket.storage.arn}/*"]
   }
 }