From d3a98c440cf9f5f0108274e22a831b931de99574 Mon Sep 17 00:00:00 2001
From: Farid Nouri Neshat <FaridN_SOAD@yahoo.com>
Date: Wed, 27 Sep 2023 07:28:03 +0200
Subject: [PATCH] Limit adf-state-machine-role to what is needed

---
 .../adf-bootstrap/deployment/global.yml                  | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
index fb93defbb..d4efbe8eb 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -1199,9 +1199,6 @@ Resources:
           - Effect: "Allow"
             Principal:
               Service:
-                - events.amazonaws.com
-                - lambda.amazonaws.com
-                - sns.amazonaws.com
                 - states.amazonaws.com
             Action: "sts:AssumeRole"
       Path: "/"
@@ -1214,8 +1211,10 @@ Resources:
                 Action:
                   - "lambda:InvokeFunction"
                   - "sns:Publish"
-                  - "states:StartExecution"
-                Resource: "*"
+                Resource:
+                  - !GetAtt EnableCrossAccountAccess.Arn
+                  - !GetAtt CheckPipelineStatus.Arn
+                  - !GetAtt PipelineSNSTopic.TopicArn
 
   LambdaInvokePermission:
     Type: AWS::Lambda::Permission