From 85309a66c0b58c0a24a5a72c0fbe376a63e540d9 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 23 Nov 2021 13:51:29 -0500
Subject: [PATCH] add cw log key policy

---
 cloudtrail-key/main.tf | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf
index 00f070a..45acd75 100644
--- a/cloudtrail-key/main.tf
+++ b/cloudtrail-key/main.tf
@@ -266,4 +266,26 @@ data "aws_iam_policy_document" "key" {
       values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
     }
   }
+  # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
+  statement {
+    sid    = "Cloudwatch"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values   = [format("arn:%v:logs:%v:%v:log-group:*", local.partition, local.region, local.account_id)]
+    }
+  }
 }