From abaed8d9efd7ca153379295774a83ba0d3e976de Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 12 Feb 2024 10:16:38 -0500 Subject: [PATCH] fix --- s3-config-org/kms.tf | 24 +++++++++++++++++++++++- s3-config-org/sqs.s3.tf | 2 +- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/s3-config-org/kms.tf b/s3-config-org/kms.tf index 9e95c3e..0875327 100644 --- a/s3-config-org/kms.tf +++ b/s3-config-org/kms.tf @@ -64,12 +64,32 @@ data "aws_iam_policy_document" "key" { identifiers = [local.kms_admin_root] } } + statement { + sid = "KMSDescribeKeyFromServices" + effect = "Allow" + actions = [ + "kms:Describe*", + "kms:List*", + ] + resources = ["*"] + principals { + type = "service" + identifiers = [ + "sqs.amazonaws.com", + "cloudtrail.amazonaws.com", + "sns.amazonaws.com", + "s3.amazonaws.com", + ] + } + } statement { sid = "AWSConfigKMSPolicy" effect = "Allow" actions = [ "kms:Decrypt", + "kms:Encrypt", "kms:GenerateDataKey", + "kms:ReEncrypt", ] principals { type = "Service" @@ -87,11 +107,13 @@ data "aws_iam_policy_document" "key" { effect = "Allow" actions = [ "kms:Decrypt", + "kms:Encrypt", "kms:GenerateDataKey", + "kms:ReEncrypt", ] principals { type = "Service" - identifiers = ["sns.amazonaws.com"] + identifiers = ["sns.amazonaws.com", "s3.amazonaws.com"] } resources = ["*"] condition { diff --git a/s3-config-org/sqs.s3.tf b/s3-config-org/sqs.s3.tf index 4cf6201..3b023ce 100644 --- a/s3-config-org/sqs.s3.tf +++ b/s3-config-org/sqs.s3.tf @@ -105,7 +105,7 @@ data "aws_iam_policy_document" "config_org_s3_sqs" { condition { test = "StringEquals" variable = "aws:SourceArn" - values = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""] + values = [var.enable_s3_sns ? aws_s3_bucket.config_org.arn : ""] } } }