feat: updated key policy for secretsmanager

modules/security_identity_compliance/CustomerManagedKmsKeys/README.md

@@ -47,13 +47,14 @@ No modules.
 | [aws_kms_key.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.UseOfKeyByAll](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.allpurpose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eksebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_roles.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -22,7 +22,7 @@ resource "aws_kms_key" "allpurpose" {
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
-  policy                             = data.aws_iam_policy_document.UseOfKeyByAll.json
+  policy                             = data.aws_iam_policy_document.allpurpose.json
   deletion_window_in_days            = var.deletion_window_in_days
   customer_master_key_spec           = "SYMMETRIC_DEFAULT"
   key_usage                          = "ENCRYPT_DECRYPT"
@@ -79,7 +79,7 @@ resource "aws_kms_key" "secret" {
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
-  policy                             = data.aws_iam_policy_document.UseOfKeyByAll.json
+  policy                             = data.aws_iam_policy_document.secretsmanager.json
   deletion_window_in_days            = var.deletion_window_in_days
   customer_master_key_spec           = "SYMMETRIC_DEFAULT"
   key_usage                          = "ENCRYPT_DECRYPT"
@@ -197,6 +197,88 @@ resource "aws_kms_alias" "notify" {
 }
 
 # Policies
+data "aws_iam_policy_document" "allpurpose" {
+  source_policy_documents = [data.aws_iam_policy_document.base.json]
+  statement {
+    sid    = "Allow use by AWS services"
+    effect = "Allow"
+    principals {
+      identifiers = [
+        "delivery.logs.amazonaws.com" # vpc flow log
+      ]
+      type = "Service"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "Allow use of key by aws services"
+    effect = "Allow"
+    principals {
+      identifiers = [data.aws_caller_identity.current.account_id]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+    condition {
+      test = "StringLike"
+      values = [
+        "*.*.amazonaws.com"
+      ]
+      variable = "kms:ViaService"
+    }
+  }
+  # this needs to be explicitly allowed for users and roles to be able to encrypt and decrypt data
+  statement {
+    sid    = "Allow use of key by users and roles in same account"
+    effect = "Allow"
+    principals {
+      identifiers = [data.aws_caller_identity.current.account_id]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowAttachmentOfPersistentResources"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Bool"
+      values   = ["true"]
+      variable = "kms:GrantIsForAWSResource"
+    }
+  }
+}
+
 data "aws_iam_policy_document" "storage" {
   source_policy_documents = [data.aws_iam_policy_document.base.json]
   statement {
@@ -331,6 +413,51 @@ data "aws_iam_policy_document" "database" {
   }
 }
 
+data "aws_iam_policy_document" "secretsmanager" {
+  source_policy_documents = [data.aws_iam_policy_document.base.json]
+
+  statement {
+    sid    = "Allow use of key by aws services"
+    effect = "Allow"
+    principals {
+      identifiers = [data.aws_caller_identity.current.account_id]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+    condition {
+      test = "StringLike"
+      values = [
+        "secretsmanager.*.amazonaws.com"
+      ]
+      variable = "kms:ViaService"
+    }
+  }
+  # allow users in this account to encrypt and decrypt data
+  statement {
+    sid    = "Allow use of key by users and roles in same account"
+    effect = "Allow"
+    principals {
+      identifiers = [data.aws_caller_identity.current.account_id]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+}
+
 # create an ASG service linked role if not already exist
 data "aws_iam_roles" "autoscaling" {
   count      = var.create_asg_role ? 0 : 1
@@ -495,51 +622,6 @@ data "aws_iam_policy_document" "backup" {
   }
 }
 
-# allow all entities in this account to perform encryption and decryption
-data "aws_iam_policy_document" "UseOfKeyByAll" {
-  source_policy_documents = [data.aws_iam_policy_document.base.json]
-  statement {
-    sid    = "AllowUseOfKey"
-    effect = "Allow"
-    principals {
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-      type        = "AWS"
-    }
-    actions = [
-      "kms:Encrypt",
-      "kms:Decrypt",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:DescribeKey"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "StringEquals"
-      values   = [data.aws_caller_identity.current.account_id]
-      variable = "aws:PrincipalAccount"
-    }
-  }
-  statement {
-    sid    = "AllowAttachmentOfPersistentResources"
-    effect = "Allow"
-    principals {
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-      type        = "AWS"
-    }
-    actions = [
-      "kms:CreateGrant",
-      "kms:ListGrants",
-      "kms:RevokeGrant"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "Bool"
-      values   = ["true"]
-      variable = "kms:GrantIsForAWSResource"
-    }
-  }
-}
-
 # base policies allowing full access to key admin and read access to all
 data "aws_iam_policy_document" "base" {
   source_policy_documents = [jsonencode(