fix: Update s3 backup policy

Author: fegmorte

modules/mpc-backup-vault/README.md

@@ -82,7 +82,6 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_bucket_cross_account_id"></a> [bucket\_cross\_account\_id](#input\_bucket\_cross\_account\_id) | ID of the AWS account that can access the backup bucket. | `string` | n/a | yes |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | The prefix for the S3 bucket names | `string` | `"mpc-backup-vault"` | no |
 | <a name="input_enable_replication"></a> [enable\_replication](#input\_enable\_replication) | Enable cross-region replication for the backup bucket. | `bool` | `false` | no |
 | <a name="input_mpc_backup_replication_role_name"></a> [mpc\_backup\_replication\_role\_name](#input\_mpc\_backup\_replication\_role\_name) | The name of the MPC backup replication role. | `string` | `null` | no |

modules/mpc-backup-vault/main.tf

@@ -61,9 +61,13 @@ resource "aws_s3_bucket_policy" "backup_bucket" {
         Sid    = "AllowCrossAccountBackup"
         Effect = "Allow"
         Principal = {
-          AWS = "arn:aws:iam::${var.bucket_cross_account_id}:root"
+          AWS = var.trusted_principal_arns
         }
-        Action = "s3:*"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:ListBucket"
+        ]
         Resource = [
           "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}",
           "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}/*"

modules/mpc-backup-vault/variables.tf

@@ -31,11 +31,6 @@ variable "trusted_principal_arns" {
   default     = []
 }
 
-variable "bucket_cross_account_id" {
-  type        = string
-  description = "ID of the AWS account that can access the backup bucket."
-}
-
 # Replication Configuration
 variable "enable_replication" {
   type        = bool