From 2e1c213574bde4ca87cb956733aceb77754ac75b Mon Sep 17 00:00:00 2001
From: hoyansiu1nhsnet <hoyan.siu1@nhs.net>
Date: Mon, 3 Nov 2025 15:29:49 +0000
Subject: [PATCH 1/2] Update host_iam_role.tf to enforce least privilege
 permissions.

---
 .../stacks/postcode_etl/host_iam_role.tf      | 22 ++++++-------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/infrastructure/stacks/postcode_etl/host_iam_role.tf b/infrastructure/stacks/postcode_etl/host_iam_role.tf
index 64a1c3e3..7b08209d 100644
--- a/infrastructure/stacks/postcode_etl/host_iam_role.tf
+++ b/infrastructure/stacks/postcode_etl/host_iam_role.tf
@@ -33,27 +33,19 @@ resource "aws_iam_policy" "service_account_policy" {
   path        = "/"
   description = "Postcode IAM role policies"
 
-  # Terraform's "jsonencode" function converts a
-  # Terraform expression result to valid JSON syntax.
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
+        Sid    = "AllowGetItemOnSpecificDynamoDBTable"
+        Effect = "Allow"
         Action = [
-          "ec2:*",
-          "s3:*",
-          "dynamodb:*",
-          "ecr:*",
-          "lambda:*",
-          "es:*",
-          "rds:*",
-          "iam:*",
-          "ecr:BatchGetImage"
-
+          "dynamodb:GetItem"
+        ]
+        Resource = [
+          "arn:aws:dynamodb:${var.aws_region}:${var.aws_account_id}:table/uec-sf-pc-${var.profile}-postcode-location-mapping"
         ]
-        Effect   = "Allow"
-        Resource = "*"
-      },
+      }
     ]
   })
 }

From 382f04fc9cced8c32b507aedb8ad6c0e2741393d Mon Sep 17 00:00:00 2001
From: hoyansiu1nhsnet <hoyan.siu1@nhs.net>
Date: Mon, 10 Nov 2025 16:07:26 +0000
Subject: [PATCH 2/2] Update host_iam_role.tf

---
 infrastructure/stacks/postcode_etl/host_iam_role.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/stacks/postcode_etl/host_iam_role.tf b/infrastructure/stacks/postcode_etl/host_iam_role.tf
index 7b08209d..4854b8aa 100644
--- a/infrastructure/stacks/postcode_etl/host_iam_role.tf
+++ b/infrastructure/stacks/postcode_etl/host_iam_role.tf
@@ -37,10 +37,10 @@ resource "aws_iam_policy" "service_account_policy" {
     Version = "2012-10-17"
     Statement = [
       {
-        Sid    = "AllowGetItemOnSpecificDynamoDBTable"
+        Sid    = "AllowAccessOnlyOnSpecificDynamoDBTable"
         Effect = "Allow"
         Action = [
-          "dynamodb:GetItem"
+          "dynamodb:*"
         ]
         Resource = [
           "arn:aws:dynamodb:${var.aws_region}:${var.aws_account_id}:table/uec-sf-pc-${var.profile}-postcode-location-mapping"