feat: added key policy for awsbackup

modules/security_identity_compliance/CustomerManagedKmsKeys/README.md

@@ -1,4 +1,15 @@
 <!-- This readme file is generated with terraform-docs -->
+# CustomerManagedKmsKeys
+
+Module to create the following CMKs:
+- allpurpose
+- storage
+- database
+- secrets
+- backup
+- log
+- notify
+
 ## Requirements
 
 No requirements.
@@ -17,9 +28,11 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
 | [aws_kms_alias.allpurpose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_alias.eks_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
@@ -34,13 +47,14 @@ No modules.
 | [aws_kms_key.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_role.asg-service-linked-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -56,6 +70,7 @@ No modules.
 | create-notify-key | Create a CMK for use with notification and events | `bool` | n/a | yes |
 | create-secret-key | Create a CMK for use with secretsmanager | `bool` | n/a | yes |
 | create-storage-key | Create a CMK for use with storage such as EBS, S3, EFS | `bool` | n/a | yes |
+| create\_asg\_role | Create service linked role for autoscaling, required in key policy | `bool` | `true` | no |
 | customer\_master\_key\_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT` | `string` | `"SYMMETRIC_DEFAULT"` | no |
 | deletion\_window\_in\_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30` | `number` | `30` | no |
 | description | The description of the key as viewed in AWS console | `string` | `null` | no |
@@ -75,6 +90,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | cmks | Customer managed KMS key arns |
+| debug | n/a |
  
 ---
 ## Authorship

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -1,13 +1,15 @@
-/*
-Module to create the following CMKs:
-- allpurpose
-- storage
-- database
-- secrets
-- backup
-- log
-- notify
- */
+/**
+* # CustomerManagedKmsKeys
+*
+* Module to create the following CMKs:
+* - allpurpose
+* - storage
+* - database
+* - secrets
+* - backup
+* - log
+* - notify
+*/
 
 data "aws_region" "this" {}
 data "aws_caller_identity" "current" {}
@@ -90,7 +92,7 @@ resource "aws_kms_key" "backup" {
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
-  policy                             = data.aws_iam_policy_document.UseOfKeyByAll.json
+  policy                             = data.aws_iam_policy_document.backup.json
   deletion_window_in_days            = var.deletion_window_in_days
   customer_master_key_spec           = "SYMMETRIC_DEFAULT"
   key_usage                          = "ENCRYPT_DECRYPT"
@@ -427,6 +429,56 @@ data "aws_iam_policy_document" "log" {
   }
 }
 
+# policy for awsbackup: https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html
+data "aws_iam_policy_document" "backup" {
+  source_policy_documents = [data.aws_iam_policy_document.base.json]
+  statement {
+    sid    = "KmsPermissions"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:ListKeys",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+      "kms:ListAliases"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "KmsCreateGrantPermissions"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      values   = ["aws:backup:backup-vault"]
+      variable = "kms:EncryptionContextKeys"
+    }
+    condition {
+      test     = "Bool"
+      values   = [true]
+      variable = "kms:GrantIsForAWSResource"
+    }
+    condition {
+      test     = "StringLike"
+      values   = ["backup.*.amazonaws.com"]
+      variable = "kms:ViaService"
+    }
+  }
+}
+
 # allow all entities in this account to perform encryption and decryption
 data "aws_iam_policy_document" "UseOfKeyByAll" {
   source_policy_documents = [data.aws_iam_policy_document.base.json]