From 80b434481c0f0a3a3222a784f758ffbfef9bf91f Mon Sep 17 00:00:00 2001
From: Dan Gardner <gardnd@amazon.com>
Date: Wed, 24 May 2023 22:48:18 +0000
Subject: [PATCH] Remove s3:PutObject and s3:PutObjectAcl on the artifacts
 bucket from the promote_release IAM role.

---
 terraform/releases/impl/promote-release.tf | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/terraform/releases/impl/promote-release.tf b/terraform/releases/impl/promote-release.tf
index d73c5c88d..c61d6f836 100644
--- a/terraform/releases/impl/promote-release.tf
+++ b/terraform/releases/impl/promote-release.tf
@@ -197,7 +197,17 @@ resource "aws_iam_role_policy" "promote_release" {
           "${aws_s3_bucket.static.arn}/doc/*",
           "${aws_s3_bucket.static.arn}/dist",
           "${aws_s3_bucket.static.arn}/dist/*",
-
+        ]
+      },
+      {
+        Sid    = "BucketsReadDelete"
+        Effect = "Allow"
+        Action = [
+          "s3:GetObjectAcl",
+          "s3:GetObject",
+          "s3:DeleteObject",
+        ]
+        Resource = [
           // Artifacts bucket
           "${data.aws_s3_bucket.artifacts.arn}/rustc-builds",
           "${data.aws_s3_bucket.artifacts.arn}/rustc-builds/*",