Deny Wiz access to objects in S3

Instead of explicitly preventing Wiz from interacting with certain
buckets, we are instead globally denying it access to any files in S3.
This ensures that sensitive data on S3 cannot be leaked, while also
reducing the maintenance burden to keep a list of buckets up-to-date.

Author: jdno

terragrunt/modules/wiz/main.tf

@@ -170,16 +170,11 @@ resource "aws_iam_role_policy" "tf-policy" {
       },
       {
         "Action" : [
-          "s3:*",
+          "s3:GetObject"
         ],
         "Effect" : "Deny",
         "Resource" : [
-          "arn:aws:s3:::*terraform*",
-          "arn:aws:s3:::*tfstate*",
-          "arn:aws:s3:::*tf?state*",
-          "arn:aws:s3:::*cloudtrail*",
-          "arn:aws:s3:::elasticbeanstalk-*",
-          "arn:aws:s3:::rust-release-keys",
+          "*"
         ],
         "Sid" : "WizAccessS3"
       }