[SEC-17144] Restrict access to Agentless S3 Bucket (#172)

Author: mariagardbraga

modules/agentless-s3-bucket/main.tf

@@ -36,7 +36,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket_lifecycle" {
 }
 
 data "aws_iam_policy_document" "bucket_access_policy_document" {
-  # TODO: add statement to deny access to everyone except the scanner roles
   statement {
     sid    = "DatadogAgentlessScannerBucketPolicy"
     effect = "Allow"
@@ -92,6 +91,32 @@ data "aws_iam_policy_document" "bucket_access_policy_document" {
       ]
     }
   }
+
+  statement {
+    sid    = "DenyAllOtherAccess"
+    effect = "Deny"
+    actions = [
+      "s3:GetObject*",
+      "s3:ListBucket",
+      "s3:PutObject*",
+    ]
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnNotEquals"
+      variable = "aws:PrincipalArn"
+      values = [
+        var.iam_delegate_role_arn,
+        var.rds_service_role_arn,
+      ]
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "bucket_access_policy" {