From d4a4ea01c52e6c20f071228996c7208ec1dae54c Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 14 Apr 2021 06:17:56 -0400
Subject: [PATCH] v1.10.3: [iam-general-policies] add deny-readonly-data

---
 CHANGELOG.md                            |  4 ++
 common/version.tf                       |  2 +-
 iam-general-policies/README.md          | 80 +++++++++++++++----------
 iam-general-policies/custom_policies.tf | 10 ++++
 iam-general-policies/main.tf            |  6 ++
 iam-general-policies/policy_data.tf     | 19 ++++++
 6 files changed, 87 insertions(+), 34 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a0e1115..c746dc2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -87,3 +87,7 @@
 * v1.10.2 -- 20210413
   - ses-domain
     - update use case text to be more descriptive
+
+* v1.10.3 -- 20210414
+  - iam-general-policies
+    - add deny-readonly-data
diff --git a/common/version.tf b/common/version.tf
index e8d4dab..8fa9c1f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.10.2"
+  _module_version = "1.10.3"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index 14e3af5..262261b 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -1,6 +1,6 @@
 # aws-inf-setup :: iam-general-policies
 
-# Usage  
+# Usage
 Here is a simple example, the one most commonly expected to be used.
 
 ```hcl
@@ -9,8 +9,8 @@ module "general" {
 }
 ```
 
-This one can be used if you need to customize stuff, though really, the defaults are all built  
-for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
 variable file generation.
 
 ```hcl
@@ -28,7 +28,7 @@ module "general_full" {
     }
   }
 }
-```  
+```
 Once IP addresses are available for NAT Gateways or VPC, they can be added like:
 ```hcl
 module "general" {
@@ -40,7 +40,7 @@ module "general" {
 }
 ```
 
-# Managed Policies  
+# Managed Policies
 This provides a number of AWS manged policies
 > `module.general.managed_policies[KEY] = ARN`
 * AdministratorAccess
@@ -58,24 +58,30 @@ This provides some custom policies that are to be applied to some accounts and g
  ```hcl
  object = {
    "name"
-   "path"
-   "description"
-   "policy"
+   "path"          
+   "description"   
+   "policy"       
    "create_policy"
    "policy_arn"
  }
 
 ```
 * manage-access-keys
+  Allows for self-managing access keys (for rotating)
 * manage-credentials
-* deny-billing  
+  Allows for self-managing password credentials
+* deny-billing
+  Denies access to Billing functions
+* deny-readonly-data
+  When combined with a ReadOnly permission set, denies read access on S3, DynamodDB items, and others
+
 These are policy documents, used liberally, as needed by applications (typically, EC2 instance roles).
 > `module.general.custom_policy_documents[KEY] = { object }`
  ```hcl
  object = {
    "name"
-   "description"
-   "policy"
+   "description"   
+   "policy"       
    "create_policy"
  }
 
@@ -93,41 +99,49 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
-No Modules.
+No modules.
 
 ## Resources
 
-| Name |
-|------|
-| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
-| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
-| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| Name | Type |
+|------|------|
+| [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ip_restriction](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| account\_alias | AWS Account Alias | `string` | `""` | no |
-| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| component\_tags | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
-| ipr\_additional\_cidr\_blocks | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| ipr\_base\_cidr\_blocks | Base CIDR blocks for IP based API restrictions (default: census public network) | `list(string)` | <pre>[<br>  "148.129.0.0/16"<br>]</pre> | no |
-| ipr\_nat\_gateway\_cidr\_blocks | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| ipr\_vpc\_cidr\_blocks | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
+| <a name="input_ipr_additional_cidr_blocks"></a> [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census public network) | `list(string)` | <pre>[<br>  "148.129.0.0/16"<br>]</pre> | no |
+| <a name="input_ipr_nat_gateway_cidr_blocks"></a> [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| custom\_policies | Custom Policies |
-| custom\_policies\_arn | Custom Policies ARN |
-| custom\_policy\_documents | Custom Policy Documents (no IAM policy) |
-| managed\_policies | AWS Managed Policy name to ARN mapping |
+| <a name="output_custom_policies"></a> [custom\_policies](#output\_custom\_policies) | Custom Policies |
+| <a name="output_custom_policies_arn"></a> [custom\_policies\_arn](#output\_custom\_policies\_arn) | Custom Policies ARN |
+| <a name="output_custom_policy_documents"></a> [custom\_policy\_documents](#output\_custom\_policy\_documents) | Custom Policy Documents (no IAM policy) |
+| <a name="output_managed_policies"></a> [managed\_policies](#output\_managed\_policies) | AWS Managed Policy name to ARN mapping |
diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
index c819e95..452f3a4 100644
--- a/iam-general-policies/custom_policies.tf
+++ b/iam-general-policies/custom_policies.tf
@@ -28,7 +28,17 @@ locals {
       policy        = data.aws_iam_policy_document.ip_restriction.json
       create_policy = true
     }
+    "deny_readonly_data" = {
+      name          = "deny-readonly-data"
+      path          = "/"
+      description   = "Policy to deny access to data where ReadOnly access is provied"
+      policy        = data.aws_iam_policy_document.deny_readonly_data.json
+      create_policy = true
+    }
 
+    #---
+    # sts
+    #---
     "ec2_assume" = {
       name          = "ec2_assume"
       description   = "Policy document for EC2 sts:assumerole (instance role)"
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
index 53441a7..e00bcda 100644
--- a/iam-general-policies/main.tf
+++ b/iam-general-policies/main.tf
@@ -67,8 +67,14 @@
 *  }
 *  ```
 * * manage-access-keys
+*   Allows for self-managing access keys (for rotating)
 * * manage-credentials
+*   Allows for self-managing password credentials
 * * deny-billing
+*   Denies access to Billing functions
+* * deny-readonly-data
+*   When combined with a ReadOnly permission set, denies read access on S3, DynamodDB items, and others
+* 
 * These are policy documents, used liberally, as needed by applications (typically, EC2 instance roles).
 * > `module.general.custom_policy_documents[KEY] = { object }`
 *  ```hcl
diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
index 53ca45a..6eb2702 100644
--- a/iam-general-policies/policy_data.tf
+++ b/iam-general-policies/policy_data.tf
@@ -82,6 +82,25 @@ data "aws_iam_policy_document" "ip_restriction" {
   }
 }
 
+data "aws_iam_policy_document" "deny_readonly_data" {
+  statement {
+    sid    = "DenyGetAccessToData"
+    effect = "Deny"
+    actions = [
+      "sqs:Receive*",
+      "s3:GetObject*",
+      "dynamodb:BatchGet*",
+      "dynamodb:Get*",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "athena:Batch*",
+      "athena:Get*",
+      # potentially kms:Decrypt*
+    ]
+    resources = ["*"]
+  }
+}
+
 #---
 # sts (for roles)
 #---