From 9702ecf43edfa6e7b892c5b16b8a8875d220c807 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 10 Jun 2026 19:36:16 -0400
Subject: [PATCH] remove sagemaker, consolidate statements

---
 policies/sc-developer/policy.tf | 132 ++++++++------------------------
 1 file changed, 34 insertions(+), 98 deletions(-)

diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf
index c8a366d..bf34488 100644
--- a/policies/sc-developer/policy.tf
+++ b/policies/sc-developer/policy.tf
@@ -45,53 +45,57 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
-  # need to exclude inf-* things
   statement {
     sid       = "AllowServicesAllResources"
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "athena:*",
+      "aoss:*",
       "apigateway:*",
       "appconfig:*",
+      "athena:*",
+      "batch:*",
       "bedrock:*",
-      "logs:*",
       "cloudshell:*",
       "cloudwatch:*",
       "codebuild:*",
       "codecommit:*",
       "codedeploy:*",
       "codepipeline:*",
-      "dynamodb:*",
+      "cognito-identity:*",
+      "cognito-idp:*",
+      "cognito-sync:*",
       "dms:*",
+      "dynamodb:*",
       "ebs:*",
       "ecr:*",
       "ecs:*",
       "eks:*",
       "elasticfilesystem:*",
       "elasticloadbalancing:*",
+      "elasticloadbalancingv2:*",
+      "elasticmapreduce:*",
+      "es:*",
+      "events:*",
       "firehose:*",
+      "glue:*",
       "inspector2:BatchGet*",
       "inspector2:Describe*",
       "inspector2:Get*",
       "inspector2:List*",
-      "elasticloadbalancingv2:*",
-      "elasticmapreduce:*",
-      "es:*",
-      "aoss:*",
-      "glue:*",
+      "kinesis:*",
       "lambda:*",
+      "logs:*",
       "mq:*",
       "quicksight:*",
       "rds:*",
       "s3:*",
       "s3files:*",
       "secretsmanager:*",
-      "states:*",
+      "sns:*",
       "sqs:*",
-      "kinesis:*",
+      "states:*",
       "transfer:*",
-      "sagemaker:*",
     ]
   }
   statement {
@@ -99,25 +103,13 @@ data "aws_iam_policy_document" "inline" {
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "application-autoscaling:RegisterScalableTarget",
-      "application-autoscaling:PutScheduledAction",
-      "application-autoscaling:PutScalingPolicy",
-      "application-autoscaling:Describe*",
-      "application-autoscaling:DeregisterScalableTarget",
-      "application-autoscaling:DeleteScheduledAction",
       "application-autoscaling:DeleteScalingPolicy",
-    ]
-  }
-  # really needed?
-  statement {
-    sid       = "AllowCognito"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "cognito-sync:*",
-      "cognito-idp:*",
-      "cognito-identity:*",
-
+      "application-autoscaling:DeleteScheduledAction",
+      "application-autoscaling:DeregisterScalableTarget",
+      "application-autoscaling:Describe*",
+      "application-autoscaling:PutScalingPolicy",
+      "application-autoscaling:PutScheduledAction",
+      "application-autoscaling:RegisterScalableTarget",
     ]
   }
   statement {
@@ -134,12 +126,12 @@ data "aws_iam_policy_document" "inline" {
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "cloudtrail:StartQuery",
       "cloudtrail:Describe*",
       "cloudtrail:GetTrailStatus",
       "cloudtrail:List*",
       "cloudtrail:ListPublicKeys",
       "cloudtrail:Lookup*",
+      "cloudtrail:StartQuery",
     ]
   }
   statement {
@@ -186,37 +178,9 @@ data "aws_iam_policy_document" "inline" {
       "ec2:ResetNetworkInterfaceAttribute",
       "ec2:RevokeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
+      "ec2:St*Instances",
       "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
       "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
-      "ec2:St*Instances",
-    ]
-  }
-  # maybe not right now
-  statement {
-    sid       = "AllowEMR"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "elasticmapreduce:*",
-    ]
-  }
-  statement {
-    sid       = "AllowOpenSearch"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "es:*",
-    ]
-  }
-  statement {
-    sid       = "AllowEventBusEvents"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "events:DescribeRule",
-      "events:List*",
-      "events:PutRule",
-      "events:PutTargets",
     ]
   }
   statement {
@@ -247,18 +211,6 @@ data "aws_iam_policy_document" "inline" {
       "iam:AttachRolePolicy",
     ]
   }
-  #  statement {
-  #    sid    = "AllowServiceLinkedRoleCreate"
-  #    effect = "Allow"
-  #    resources = [
-  #      "arn:aws-us-gov:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
-  #      "arn:aws-us-gov:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
-  #      "arn:aws-us-gov:iam::*:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster",
-  #    ]
-  #    actions = [
-  #      "iam:CreateServiceLinkedRole",
-  #    ]
-  #  }
   statement {
     sid       = "AllowIamPassRole"
     effect    = "Allow"
@@ -270,15 +222,15 @@ data "aws_iam_policy_document" "inline" {
       test     = "StringEquals"
       variable = "iam:PassedToService"
       values = [
+        "apigateway.amazonaws.com",
+        "ecs-tasks.amazonaws.com",
+        "ecs.amazonaws.com",
         "firehose.amazonaws.com",
         "glue.amazonaws.com",
+        "lambda.amazonaws.com",
         "rds.amazonaws.com",
         "s3.amazonaws.com",
-        "lambda.amazonaws.com",
-        "ecs.amazonaws.com",
-        "ecs-tasks.amazonaws.com",
         "states.amazonaws.com",
-        "apigateway.amazonaws.com"
       ]
     }
   }
@@ -295,7 +247,6 @@ data "aws_iam_policy_document" "inline" {
       "kms:ListResourceTags",
     ]
   }
-  # scope these to restrict inf- keys
   statement {
     sid       = "AllowKMS"
     effect    = "Allow"
@@ -357,14 +308,6 @@ data "aws_iam_policy_document" "inline" {
       "ssm:UpdateInstance*",
     ]
   }
-  statement {
-    sid       = "AllowSNS"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "sns:*",
-    ]
-  }
   statement {
     sid       = "AllowStepFunctionExecution"
     effect    = "Allow"
@@ -387,13 +330,13 @@ data "aws_iam_policy_document" "inline" {
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "support:SearchForCases",
-      "support:ResolveCase",
-      "support:RateCaseCommunication",
-      "support:Describe*",
-      "support:CreateCase",
-      "support:AddCommunicationToCase",
       "support:AddAttachmentsToSet",
+      "support:AddCommunicationToCase",
+      "support:CreateCase",
+      "support:Describe*",
+      "support:RateCaseCommunication",
+      "support:ResolveCase",
+      "support:SearchForCases",
     ]
   }
   statement {
@@ -413,12 +356,6 @@ data "aws_iam_policy_document" "inline" {
       format(local.all_account_arn_iam, "role/r-eks-*-cluster-admin"),
     ]
   }
-  statement {
-    sid       = "AllowBatch"
-    effect    = "Allow"
-    actions   = ["batch:*"]
-    resources = ["*"]
-  }
   statement {
     sid    = "AllowEvents"
     effect = "Allow"
@@ -428,6 +365,5 @@ data "aws_iam_policy_document" "inline" {
     not_resources = [
       format("arn:%v:events:*:*:%v*", data.aws_arn.current.partition, "rule/DO_NOT_TELETE")
     ]
-
   }
 }