SLK-99566 - Remove ECR Push Permissions from AWS CF Onboarding

idanchAqua · idanchAqua · commit a3ee462a951f · 2025-08-20T16:12:55.000+03:00
removed the following permissions from all cloud formation stacks:
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"

all relevant places:
- single deployment module

* organization deploys stack from S3 which is defined in autoconnect project.

Push permissions are not required by Aqua and are also not wanted by
customers, and since no usage was found for them they are removed here.
diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
@@ -277,13 +277,9 @@ resource "aws_iam_role" "cspm_role" {
             "ecr:GetDownloadUrlForLayer",
             "ecr:BatchGetImage",
             "ecr:BatchCheckLayerAvailability",
-            "ecr:PutImage",
             "ecr:ListImages",
             "ecr:DescribeImages",
             "ecr:GetRepositoryPolicy",
-            "ecr:InitiateLayerUpload",
-            "ecr:UploadLayerPart",
-            "ecr:CompleteLayerUpload",
             "ecr:DescribeRepositories",
             "ecr:GetAuthorizationToken",
             "lambda:ListAliases",
