[IT-4757] Reduce scope of Security Auditor role

ConsoleCatzirl · ConsoleCatzirl · commit 8ce934b814c2 · 2025-12-02T10:04:55.000-08:00
The Security Auditor role is currently unused. Reduce access to a level
appropriate for a security contractor being onboarded. Access is only
needed in the security-central account, no access to Billing, Macie, or
Elastic Beanstalk is needed.
diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml
@@ -495,7 +495,7 @@ SsoSecurityAuditor:
     IncludeMasterAccount: true
   OrganizationBindings:
     TargetBinding:
-      Account: '*'
+      Account: !Ref SecurityCentralAccount
   Parameters:
     instanceArn: !Ref instanceArn
     principalId: !Ref securityAuditorGroup
@@ -505,9 +505,6 @@ SsoSecurityAuditor:
       - 'arn:aws:iam::aws:policy/job-function/SupportUser'
       - 'arn:aws:iam::aws:policy/AmazonInspector2ReadOnlyAccess'
       - 'arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess'
-      - 'arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnly'
-      - 'arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess'
-      - 'arn:aws:iam::aws:policy/AmazonMacieReadOnlyAccess'
     sessionDuration: 'PT1H'
     masterAccountId: !Ref MasterAccount
 
