Broaden scope of actions against CDK buckets, allow CDN invalidations

West-Michigan-AWS-Users-Group · Jan 31, 2025 · c849d10 · c849d10
1 parent 5a86e7c
commit c849d10
Showing 1 changed file with 33 additions and 35 deletions.
diff --git a/lib/wmaug-management-infrastructure-sso.ts b/lib/wmaug-management-infrastructure-sso.ts
@@ -104,42 +104,40 @@ export class Sso extends cdk.Stack {
     );
     // Member permission set
     const wmaugMemberPermissionSet = new sso.CfnPermissionSet(
-  this,
-  "wmaugMemberPermissionSet",
-  {
-    inlinePolicy: {
-      Version: "2012-10-17",
-      Statement: [
-        {
-          Effect: "Allow",
-          Action: "sts:AssumeRole",
-          Resource: "arn:aws:iam::*:role/cdk-*",
-        },
-        {
-          Effect: "Allow",
-          Action: [
-            "s3:PutObject",
-            "s3:GetObject",
-            "s3:ListBucket",
-            "s3:DeleteObject",
-            "s3:PutObjectAcl",
-            "s3:GetObjectAcl",
-            "s3:DeleteObjectAcl"
+      this,
+      "wmaugMemberPermissionSet",
+      {
+        inlinePolicy: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Action: "sts:AssumeRole",
+              Resource: "arn:aws:iam::*:role/cdk-*",
+            },
+            {
+              Effect: "Allow",
+              Action: ["s3:*"],
+              Resource: ["arn:aws:s3:::cdk-*", "arn:aws:s3:::cdk-*/*"],
+            },
+            {
+              Effect: "Allow",
+              Action: [
+                "cloudfront:UpdateDistribution",
+                "cloudfront:DeleteDistribution",
+                "cloudfront:CreateInvalidation",
+              ],
+              Resource: "*",
+            },
           ],
-          Resource: [
-            "arn:aws:s3:::cdk-*",
-            "arn:aws:s3:::cdk-*/*"
-          ]
-        }
-      ],
-    },
-    instanceArn: instanceArnParam.valueAsString,
-    name: "wmaugMemberPermissionSet",
-    description: "Permission set WMAUG members will use",
-    managedPolicies: ["arn:aws:iam::aws:policy/ReadOnlyAccess"],
-    sessionDuration: "PT12H",
-  },
-);
+        },
+        instanceArn: instanceArnParam.valueAsString,
+        name: "wmaugMemberPermissionSet",
+        description: "Permission set WMAUG members will use",
+        managedPolicies: ["arn:aws:iam::aws:policy/ReadOnlyAccess"],
+        sessionDuration: "PT12H",
+      },
+    );
 
     // Assign member users to member account
     new sso.CfnAssignment(this, "wmaugMemberAssignment", {