initial commit

modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf

@@ -0,0 +1,69 @@
+resource "aws_kms_key" "ctbucket-key" {
+  deletion_window_in_days = 7
+  tags = var.default-tags
+  policy = data.aws_iam_policy_document.key-policy.json
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" ctbucket-key-aliaas {
+  name = "alias/${var.resource-prefix}-kmskey-default"
+  target_key_id = aws_kms_key.ctbucket-key.key_id
+}
+
+# https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
+data "aws_iam_policy_document" "key-policy" {
+  statement {
+    sid = "Key usage by aws services"
+    principals {
+      identifiers = [
+        "autoscaling.amazonaws.com",
+        "cloudtrail.amazonaws.com",
+        "eks.amazonaws.com",
+        "eks-nodegroup.amazonaws.com",
+        "guardduty.amazonaws.com",
+        "delivery.logs.amazonaws.com",
+        "sns.amazonaws.com",
+        "sqs.amazonaws.com",
+        "lambda.amazonaws.com",
+        "backup.amazonaws.com",
+        "events.amazonaws.com",
+        "cloudwatch.amazonaws.com",
+        "s3.amazonaws.com",
+        "logs.amazonaws.com"
+      ]
+      type = "Service"
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = [
+      "*"
+    ]
+
+    effect = "Allow"
+  }
+
+  statement {
+    sid = "Key administrator"
+    actions = [
+      "kms:*"
+    ]
+
+    resources = [
+      "*"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [data.aws_caller_identity.this.account_id]
+    }
+
+    effect = "Allow"
+  }
+}