split decrypt oracle Deny statement to deny invalid action OR invalid resource

mattsb42-aws · mattsb42-aws · commit d58596bfcf99 · 2018-10-01T16:40:30.000-07:00
diff --git a/decrypt_oracle/.chalice/policy-dev.json b/decrypt_oracle/.chalice/policy-dev.json
@@ -34,7 +34,10 @@
                 "logs:CreateLogGroup",
                 "logs:CreateLogStream",
                 "logs:PutLogEvents"
-            ],
+            ]
+        },
+        {
+            "Effect": "Deny",
             "NotResource": [
                 "arn:aws:kms:us-west-2:658956600833:key/590fd781-ddde-4036-abec-3e1ab5a5d2ad",
                 "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f",
