update key perms

terraform-modules · Nov 26, 2021 · d069fb4 · d069fb4
1 parent ec1040a
commit d069fb4
Showing 1 changed file with 28 additions and 5 deletions.
diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf
@@ -231,6 +231,7 @@ data "aws_iam_policy_document" "empty" {}
 #---
 data "aws_iam_policy_document" "key" {
   policy_id = "object-logging-cloud-trail"
+  # manage key by root and other principals
   statement {
     sid       = "IAMPermissionsAccessKMSManagement"
     effect    = "Allow"
@@ -241,20 +242,25 @@ data "aws_iam_policy_document" "key" {
       identifiers = [local.kms_admin_root]
     }
   }
+  # let cloudtrial, logs, sns, and sqs find key
   statement {
-    sid       = "CloudTrailKMSAccess"
+    sid       = "KMSDescribeKeyFromServices"
     effect    = "Allow"
     actions   = ["kms:DescribeKey"]
     resources = ["*"]
     principals {
       type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
+      identifiers = ["cloudtrail.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
     }
   }
   statement {
-    sid       = "CloudTrailKMSEncryptAccess"
-    effect    = "Allow"
-    actions   = ["kms:GenerateDataKey"]
+    sid    = "CloudTrailKMSEncryptAccess"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey",
+    ]
     resources = ["*"]
     principals {
       type        = "Service"
@@ -288,4 +294,21 @@ data "aws_iam_policy_document" "key" {
       values   = [format("arn:%v:logs:%v:%v:log-group:*", local.partition, local.region, local.account_id)]
     }
   }
+  # https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/
+  # https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
+  # https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic-sqs-queue-subscriptions.html
+  statement {
+    sid    = "ServiceMSAccess"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com", "sqs.amazonaws.com"]
+    }
+  }
 }