diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md b/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md index d8639cb..301944e 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/README.md @@ -47,13 +47,14 @@ No modules. | [aws_kms_key.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_kms_key.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.allpurpose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf index ed83aa9..7bcc9d1 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf @@ -22,7 +22,7 @@ resource "aws_kms_key" "allpurpose" { enable_key_rotation = var.enable_key_rotation rotation_period_in_days = var.rotation_period_in_days is_enabled = var.is_enabled - policy = data.aws_iam_policy_document.UseOfKeyByAll.json + policy = data.aws_iam_policy_document.allpurpose.json deletion_window_in_days = var.deletion_window_in_days customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" @@ -79,7 +79,7 @@ resource "aws_kms_key" "secret" { enable_key_rotation = var.enable_key_rotation rotation_period_in_days = var.rotation_period_in_days is_enabled = var.is_enabled - policy = data.aws_iam_policy_document.UseOfKeyByAll.json + policy = data.aws_iam_policy_document.secretsmanager.json deletion_window_in_days = var.deletion_window_in_days customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" @@ -197,6 +197,88 @@ resource "aws_kms_alias" "notify" { } # Policies +data "aws_iam_policy_document" "allpurpose" { + source_policy_documents = [data.aws_iam_policy_document.base.json] + statement { + sid = "Allow use by AWS services" + effect = "Allow" + principals { + identifiers = [ + "delivery.logs.amazonaws.com" # vpc flow log + ] + type = "Service" + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + } + statement { + sid = "Allow use of key by aws services" + effect = "Allow" + principals { + identifiers = [data.aws_caller_identity.current.account_id] + type = "AWS" + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + condition { + test = "StringLike" + values = [ + "*.*.amazonaws.com" + ] + variable = "kms:ViaService" + } + } + # this needs to be explicitly allowed for users and roles to be able to encrypt and decrypt data + statement { + sid = "Allow use of key by users and roles in same account" + effect = "Allow" + principals { + identifiers = [data.aws_caller_identity.current.account_id] + type = "AWS" + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + } + + statement { + sid = "AllowAttachmentOfPersistentResources" + effect = "Allow" + principals { + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + type = "AWS" + } + actions = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + resources = ["*"] + condition { + test = "Bool" + values = ["true"] + variable = "kms:GrantIsForAWSResource" + } + } +} + data "aws_iam_policy_document" "storage" { source_policy_documents = [data.aws_iam_policy_document.base.json] statement { @@ -331,6 +413,51 @@ data "aws_iam_policy_document" "database" { } } +data "aws_iam_policy_document" "secretsmanager" { + source_policy_documents = [data.aws_iam_policy_document.base.json] + + statement { + sid = "Allow use of key by aws services" + effect = "Allow" + principals { + identifiers = [data.aws_caller_identity.current.account_id] + type = "AWS" + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + condition { + test = "StringLike" + values = [ + "secretsmanager.*.amazonaws.com" + ] + variable = "kms:ViaService" + } + } + # allow users in this account to encrypt and decrypt data + statement { + sid = "Allow use of key by users and roles in same account" + effect = "Allow" + principals { + identifiers = [data.aws_caller_identity.current.account_id] + type = "AWS" + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + } +} + # create an ASG service linked role if not already exist data "aws_iam_roles" "autoscaling" { count = var.create_asg_role ? 0 : 1 @@ -495,51 +622,6 @@ data "aws_iam_policy_document" "backup" { } } -# allow all entities in this account to perform encryption and decryption -data "aws_iam_policy_document" "UseOfKeyByAll" { - source_policy_documents = [data.aws_iam_policy_document.base.json] - statement { - sid = "AllowUseOfKey" - effect = "Allow" - principals { - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - type = "AWS" - } - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ] - resources = ["*"] - condition { - test = "StringEquals" - values = [data.aws_caller_identity.current.account_id] - variable = "aws:PrincipalAccount" - } - } - statement { - sid = "AllowAttachmentOfPersistentResources" - effect = "Allow" - principals { - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - type = "AWS" - } - actions = [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ] - resources = ["*"] - condition { - test = "Bool" - values = ["true"] - variable = "kms:GrantIsForAWSResource" - } - } -} - # base policies allowing full access to key admin and read access to all data "aws_iam_policy_document" "base" { source_policy_documents = [jsonencode(