diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf index b143f3e..8f60ed5 100644 --- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf +++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf @@ -60,11 +60,11 @@ resource "aws_kms_key" "eks_ebs" { resource "aws_kms_key" "database" { count = var.create-database-key ? 1 : 0 - description = "Customer-managed KMS key for encrypting cloud databases such as RDS and Elasticache" + description = "Customer-managed KMS key for encrypting cloud databases such as RDS, Elasticache, DynamoDB" enable_key_rotation = var.enable_key_rotation rotation_period_in_days = var.rotation_period_in_days is_enabled = var.is_enabled - policy = data.aws_iam_policy_document.rds.json + policy = data.aws_iam_policy_document.database.json deletion_window_in_days = var.deletion_window_in_days customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" @@ -266,7 +266,7 @@ data "aws_iam_policy_document" "storage" { } } -data "aws_iam_policy_document" "rds" { +data "aws_iam_policy_document" "database" { source_policy_documents = [data.aws_iam_policy_document.base.json] statement { sid = "Allow use by AWS services" @@ -280,7 +280,8 @@ data "aws_iam_policy_document" "rds" { "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", - "kms:Describe*" + "kms:Describe*", + "kms:CreateGrant" ] resources = ["*"] condition { @@ -288,7 +289,8 @@ data "aws_iam_policy_document" "rds" { values = [ "rds.*.amazonaws.com", "elasticache.*.amazonaws.com", - "dax.*.amazonaws.com" + "dax.*.amazonaws.com", + "dynamodb.*.amazonaws.com" ] variable = "kms:ViaService" }