From 88dd94d0afabb4fd350346a19fcda4d630110098 Mon Sep 17 00:00:00 2001
From: Brad Fisher <brad.fisher25@gmail.com>
Date: Thu, 27 Jun 2024 14:15:12 -0500
Subject: [PATCH] Deny DCE from support, deny DCE from editing KMS policies
 (#494)

* Deny DCE from support, deny DCE from editing KMS policies

* Update nuke, format better
---
 go.mod                                          |  2 +-
 go.sum                                          |  4 ++--
 modules/fixtures/policies/principal_policy.tmpl | 16 ++++++++++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 65a866bb..99eadd64 100644
--- a/go.mod
+++ b/go.mod
@@ -104,4 +104,4 @@ require (
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 )
 
-replace github.com/rebuy-de/aws-nuke/v2 => github.com/Optum/aws-nuke/v2 v2.25.4
+replace github.com/rebuy-de/aws-nuke/v2 => github.com/Optum/aws-nuke/v2 v2.25.5
diff --git a/go.sum b/go.sum
index 61864c5e..71417f91 100644
--- a/go.sum
+++ b/go.sum
@@ -196,8 +196,8 @@ github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53/go.mod h1:+3
 github.com/CloudyKit/jet/v3 v3.0.0/go.mod h1:HKQPgSJmdK8hdoAbKUUWajkHyHo4RaU5rMdUywE7VMo=
 github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKzY=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/Optum/aws-nuke/v2 v2.25.4 h1:8SKXZburVzu/kJg2dead6iHSadFTsoDffIUqvm1c8UI=
-github.com/Optum/aws-nuke/v2 v2.25.4/go.mod h1:LaslSBqqWIa+EdDrxj1Pltr04cMAyxcL+bYy+7ZT/jg=
+github.com/Optum/aws-nuke/v2 v2.25.5 h1:F3WpJ+uwnecbTeN1hg+ZAc+y2PUNAMQw8UavFPYiZT4=
+github.com/Optum/aws-nuke/v2 v2.25.5/go.mod h1:LaslSBqqWIa+EdDrxj1Pltr04cMAyxcL+bYy+7ZT/jg=
 github.com/Shopify/goreferrer v0.0.0-20181106222321-ec9c9a553398/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
diff --git a/modules/fixtures/policies/principal_policy.tmpl b/modules/fixtures/policies/principal_policy.tmpl
index 0e7c435c..9dfef6ad 100644
--- a/modules/fixtures/policies/principal_policy.tmpl
+++ b/modules/fixtures/policies/principal_policy.tmpl
@@ -53,6 +53,22 @@
       ],
       "Resource": "*"
     },
+    {
+      "Sid": "DenySpecificKMSActions",
+      "Effect": "Deny",
+      "Action": [
+        "kms:PutKeyPolicy"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "DenySupportCenter",
+      "Effect": "Deny",
+      "Action": [
+        "support:*"
+      ],
+      "Resource": "*"
+    },
     {
       "Sid": "ViewBillingBudgetsQuotas",
       "Effect": "Allow",