From a3ee462a951fb381eb28a44d7f8f0763736d8bdf Mon Sep 17 00:00:00 2001
From: Idan Chernihov <idan.chernihov@aquasec.com>
Date: Wed, 20 Aug 2025 16:06:54 +0300
Subject: [PATCH] SLK-99566 - Remove ECR Push Permissions from AWS CF
 Onboarding

removed the following permissions from all cloud formation stacks:
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"

all relevant places:
- single deployment module

* organization deploys stack from S3 which is defined in autoconnect project.

Push permissions are not required by Aqua and are also not wanted by
customers, and since no usage was found for them they are removed here.
---
 modules/single/modules/lambda/main.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
index 5e4b6e7..81cf817 100644
--- a/modules/single/modules/lambda/main.tf
+++ b/modules/single/modules/lambda/main.tf
@@ -277,13 +277,9 @@ resource "aws_iam_role" "cspm_role" {
             "ecr:GetDownloadUrlForLayer",
             "ecr:BatchGetImage",
             "ecr:BatchCheckLayerAvailability",
-            "ecr:PutImage",
             "ecr:ListImages",
             "ecr:DescribeImages",
             "ecr:GetRepositoryPolicy",
-            "ecr:InitiateLayerUpload",
-            "ecr:UploadLayerPart",
-            "ecr:CompleteLayerUpload",
             "ecr:DescribeRepositories",
             "ecr:GetAuthorizationToken",
             "lambda:ListAliases",