* 2.5.3 -- 2024-02-09

- s3-config-org - update key policy, sns permissions to allow s3 -> sns -> sqs
terraform-modules · Feb 9, 2024 · 7775a05 · 7775a05
1 parent 0c51b3e
commit 7775a05
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 86 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -338,3 +338,7 @@
 * 2.5.2 -- 2024-02-07
   - s3-config-org
     - add enable_s3_sns, enable_s3_sqs, for bucket notifications
+
+* 2.5.3 -- 2024-02-09
+  - s3-config-org
+    - update key policy, sns permissions to allow s3 -> sns -> sqs
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.2"
+  _module_version = "2.5.3"
 }
diff --git a/s3-config-org/kms.tf b/s3-config-org/kms.tf
@@ -51,6 +51,8 @@ data "aws_iam_policy_document" "key_admin" {
 
 data "aws_iam_policy_document" "empty" {}
 
+# for sqs, from: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-least-privilege-policy.html
+
 data "aws_iam_policy_document" "key" {
   statement {
     sid       = "IAMPermissionsAccessKMSManagement"
@@ -80,89 +82,22 @@ data "aws_iam_policy_document" "key" {
       values   = [local.organization_id]
     }
   }
+  statement {
+    sid    = "AllowSNSSendToSQS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
 }
-
-## data "aws_iam_policy_document" "key" {
-##   policy_id = "object-logging-cloud-trail"
-##   # manage key by root and other principals
-##   statement {
-##     sid       = "IAMPermissionsAccessKMSManagement"
-##     effect    = "Allow"
-##     actions   = ["kms:*"]
-##     resources = ["*"]
-##     principals {
-##       type        = "AWS"
-##       identifiers = [local.kms_admin_root]
-##     }
-##   }
-##   # let cloudtrial, logs, sns, and sqs find key
-##   statement {
-##     sid       = "KMSDescribeKeyFromServices"
-##     effect    = "Allow"
-##     actions   = ["kms:DescribeKey"]
-##     resources = ["*"]
-##     principals {
-##       type        = "Service"
-##       identifiers = ["cloudtrail.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
-##     }
-##   }
-##   statement {
-##     sid    = "OrgLoggingKMSEncryptAccess"
-##     effect = "Allow"
-##     actions = [
-##       "kms:Decrypt*",
-##       "kms:Encrypt*",
-##       "kms:ReEncrypt*",
-##       "kms:GenerateDataKey",
-##     ]
-##     resources = ["*"]
-##     principals {
-##       type        = "Service"
-##       identifiers = ["cloudtrail.amazonaws.com"]
-##     }
-##     #    condition {
-##     #      test     = "StringLike"
-##     #      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-##     #      values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
-##     #    }
-##   }
-##   # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
-##   statement {
-##     sid    = "Cloudwatch"
-##     effect = "Allow"
-##     actions = [
-##       "kms:Decrypt*",
-##       "kms:Encrypt*",
-##       "kms:ReEncrypt*",
-##       "kms:GenerateDataKey*",
-##       "kms:Describe*"
-##     ]
-##     resources = ["*"]
-##     principals {
-##       type        = "Service"
-##       identifiers = ["logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
-##     }
-##     condition {
-##       test     = "StringLike"
-##       variable = "kms:EncryptionContext:aws:logs:arn"
-##       values   = [format("arn:%v:logs:%v:%v:log-group:*", local.partition, local.region, local.account_id)]
-##     }
-##   }
-##   # https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/
-##   # https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
-##   # https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic-sqs-queue-subscriptions.html
-##   statement {
-##     sid    = "ServiceMSAccess"
-##     effect = "Allow"
-##     actions = [
-##       "kms:Decrypt*",
-##       "kms:GenerateDataKey*",
-##       "kms:Describe*"
-##     ]
-##     resources = ["*"]
-##     principals {
-##       type        = "Service"
-##       identifiers = ["sns.amazonaws.com", "sqs.amazonaws.com"]
-##     }
-##   }
-## }
diff --git a/s3-config-org/sns.s3.tf b/s3-config-org/sns.s3.tf
@@ -16,6 +16,8 @@ resource "aws_sns_topic_policy" "config_org_s3" {
   policy = data.aws_iam_policy_document.config_org_s3_topic.json
 }
 
+# from: https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#grant-sns-sqs-permission-for-s3
+
 data "aws_iam_policy_document" "config_org_s3_topic" {
   policy_id = format("%v_s3_topic", local.s3_notification_name)
   statement {
@@ -32,5 +34,10 @@ data "aws_iam_policy_document" "config_org_s3_topic" {
       variable = "aws:SourceArn"
       values   = [aws_s3_bucket.config_org.arn]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
   }
 }