diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf index 45acd75..65e1e12 100644 --- a/cloudtrail-key/main.tf +++ b/cloudtrail-key/main.tf @@ -231,6 +231,7 @@ data "aws_iam_policy_document" "empty" {} #--- data "aws_iam_policy_document" "key" { policy_id = "object-logging-cloud-trail" + # manage key by root and other principals statement { sid = "IAMPermissionsAccessKMSManagement" effect = "Allow" @@ -241,20 +242,25 @@ data "aws_iam_policy_document" "key" { identifiers = [local.kms_admin_root] } } + # let cloudtrial, logs, sns, and sqs find key statement { - sid = "CloudTrailKMSAccess" + sid = "KMSDescribeKeyFromServices" effect = "Allow" actions = ["kms:DescribeKey"] resources = ["*"] principals { type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] + identifiers = ["cloudtrail.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"] } } statement { - sid = "CloudTrailKMSEncryptAccess" - effect = "Allow" - actions = ["kms:GenerateDataKey"] + sid = "CloudTrailKMSEncryptAccess" + effect = "Allow" + actions = [ + "kms:Encrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + ] resources = ["*"] principals { type = "Service" @@ -288,4 +294,21 @@ data "aws_iam_policy_document" "key" { values = [format("arn:%v:logs:%v:%v:log-group:*", local.partition, local.region, local.account_id)] } } + # https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/ + # https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse + # https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic-sqs-queue-subscriptions.html + statement { + sid = "ServiceMSAccess" + effect = "Allow" + actions = [ + "kms:Decrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + principals { + type = "Service" + identifiers = ["sns.amazonaws.com", "sqs.amazonaws.com"] + } + } }