From 6ee8843f97d85eb4277a15261c3c1636bf5b723b Mon Sep 17 00:00:00 2001
From: Prabhu Manchineella <prabhumanchineella@CA-PC22PM9DVP.local>
Date: Wed, 25 Oct 2023 17:49:21 -0400
Subject: [PATCH] Update perm boundary to restrict removing/Updating perm
 boundary for IAM users

---
 modules/account-sso/main.tf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/account-sso/main.tf b/modules/account-sso/main.tf
index c39765d..569d5ac 100644
--- a/modules/account-sso/main.tf
+++ b/modules/account-sso/main.tf
@@ -71,7 +71,10 @@ resource "aws_iam_policy" "bcgov_perm_boundary" {
           "iam:Update*",
           "iam:Delete*",
           "iam:DetachRolePolicy",
-          "iam:DeleteRolePolicy"
+          "iam:DeleteRolePolicy",
+          "iam:DeleteUserPermissionsBoundary",
+          "iam:PutUserPermissionsBoundary",
+          "iam:DeleteRolePermissionsBoundary"
         ]
         Effect = "Deny"
         Resource = [
@@ -79,8 +82,8 @@ resource "aws_iam_policy" "bcgov_perm_boundary" {
           "arn:aws:iam::*:role/CloudCustodian",
           "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
           "arn:aws:iam::*:role/*BCGOV*",
-          "arn:aws:iam::*:instance-profile/EC2-Default-SSM-AD-Role-ip"
-
+          "arn:aws:iam::*:instance-profile/EC2-Default-SSM-AD-Role-ip",
+          "arn:aws:iam::*:user/*"
         ]
         Sid = "DenyPermBoundaryBCGovAlteration"
       },