feat: added key policy for awsbackup

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -1,13 +1,15 @@
-/*
-Module to create the following CMKs:
-- allpurpose
-- storage
-- database
-- secrets
-- backup
-- log
-- notify
- */
+/**
+* # CustomerManagedKmsKeys
+*
+* Module to create the following CMKs:
+* - allpurpose
+* - storage
+* - database
+* - secrets
+* - backup
+* - log
+* - notify
+*/
 
 data "aws_region" "this" {}
 data "aws_caller_identity" "current" {}
@@ -90,7 +92,7 @@ resource "aws_kms_key" "backup" {
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
-  policy                             = data.aws_iam_policy_document.UseOfKeyByAll.json
+  policy                             = data.aws_iam_policy_document.backup.json
   deletion_window_in_days            = var.deletion_window_in_days
   customer_master_key_spec           = "SYMMETRIC_DEFAULT"
   key_usage                          = "ENCRYPT_DECRYPT"
@@ -427,6 +429,56 @@ data "aws_iam_policy_document" "log" {
   }
 }
 
+# policy for awsbackup: https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html
+data "aws_iam_policy_document" "backup" {
+  source_policy_documents = [data.aws_iam_policy_document.base.json]
+  statement {
+    sid    = "KmsPermissions"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:ListKeys",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+      "kms:ListAliases"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "KmsCreateGrantPermissions"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      values   = ["aws:backup:backup-vault"]
+      variable = "kms:EncryptionContextKeys"
+    }
+    condition {
+      test     = "Bool"
+      values   = [true]
+      variable = "kms:GrantIsForAWSResource"
+    }
+    condition {
+      test     = "StringLike"
+      values   = ["backup.*.amazonaws.com"]
+      variable = "kms:ViaService"
+    }
+  }
+}
+
 # allow all entities in this account to perform encryption and decryption
 data "aws_iam_policy_document" "UseOfKeyByAll" {
   source_policy_documents = [data.aws_iam_policy_document.base.json]