From 0e0cea117400ba41f9ddbe2f60745b1df55e099cdcd034157f2e9e067015b406 Mon Sep 17 00:00:00 2001 From: xpk Date: Thu, 26 Feb 2026 08:30:42 +0800 Subject: [PATCH] feat: added key policy for awsbackup --- .../CustomerManagedKmsKeys/README.md | 18 ++++- .../CustomerManagedKmsKeys/main.tf | 74 ++++++++++++++++--- 2 files changed, 80 insertions(+), 12 deletions(-) diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md b/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md index 10f8d35..ed79af6 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md @@ -1,4 +1,15 @@ +# CustomerManagedKmsKeys + +Module to create the following CMKs: +- allpurpose +- storage +- database +- secrets +- backup +- log +- notify + ## Requirements No requirements. @@ -17,9 +28,11 @@ No modules. | Name | Type | |------|------| +| [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource | | [aws_kms_alias.allpurpose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.eks_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | @@ -34,13 +47,14 @@ No modules. | [aws_kms_key.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_role.asg-service-linked-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -56,6 +70,7 @@ No modules. | create-notify-key | Create a CMK for use with notification and events | `bool` | n/a | yes | | create-secret-key | Create a CMK for use with secretsmanager | `bool` | n/a | yes | | create-storage-key | Create a CMK for use with storage such as EBS, S3, EFS | `bool` | n/a | yes | +| create\_asg\_role | Create service linked role for autoscaling, required in key policy | `bool` | `true` | no | | customer\_master\_key\_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT` | `string` | `"SYMMETRIC_DEFAULT"` | no | | deletion\_window\_in\_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30` | `number` | `30` | no | | description | The description of the key as viewed in AWS console | `string` | `null` | no | @@ -75,6 +90,7 @@ No modules. | Name | Description | |------|-------------| | cmks | Customer managed KMS key arns | +| debug | n/a | --- ## Authorship diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf index 777327f..9d348de 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf @@ -1,13 +1,15 @@ -/* -Module to create the following CMKs: -- allpurpose -- storage -- database -- secrets -- backup -- log -- notify - */ +/** +* # CustomerManagedKmsKeys +* +* Module to create the following CMKs: +* - allpurpose +* - storage +* - database +* - secrets +* - backup +* - log +* - notify +*/ data "aws_region" "this" {} data "aws_caller_identity" "current" {} @@ -90,7 +92,7 @@ resource "aws_kms_key" "backup" { enable_key_rotation = var.enable_key_rotation rotation_period_in_days = var.rotation_period_in_days is_enabled = var.is_enabled - policy = data.aws_iam_policy_document.UseOfKeyByAll.json + policy = data.aws_iam_policy_document.backup.json deletion_window_in_days = var.deletion_window_in_days customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" @@ -427,6 +429,56 @@ data "aws_iam_policy_document" "log" { } } +# policy for awsbackup: https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html +data "aws_iam_policy_document" "backup" { + source_policy_documents = [data.aws_iam_policy_document.base.json] + statement { + sid = "KmsPermissions" + effect = "Allow" + principals { + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + type = "AWS" + } + actions = [ + "kms:ListKeys", + "kms:DescribeKey", + "kms:GenerateDataKey", + "kms:ListAliases" + ] + resources = ["*"] + } + + statement { + sid = "KmsCreateGrantPermissions" + effect = "Allow" + principals { + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + type = "AWS" + } + actions = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + resources = ["*"] + condition { + test = "ForAnyValue:StringEquals" + values = ["aws:backup:backup-vault"] + variable = "kms:EncryptionContextKeys" + } + condition { + test = "Bool" + values = [true] + variable = "kms:GrantIsForAWSResource" + } + condition { + test = "StringLike" + values = ["backup.*.amazonaws.com"] + variable = "kms:ViaService" + } + } +} + # allow all entities in this account to perform encryption and decryption data "aws_iam_policy_document" "UseOfKeyByAll" { source_policy_documents = [data.aws_iam_policy_document.base.json]