feat: updated key policy for database

modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf

@@ -60,11 +60,11 @@ resource "aws_kms_key" "eks_ebs" {
 
 resource "aws_kms_key" "database" {
   count                              = var.create-database-key ? 1 : 0
-  description                        = "Customer-managed KMS key for encrypting cloud databases such as RDS and Elasticache"
+  description                        = "Customer-managed KMS key for encrypting cloud databases such as RDS, Elasticache, DynamoDB"
   enable_key_rotation                = var.enable_key_rotation
   rotation_period_in_days            = var.rotation_period_in_days
   is_enabled                         = var.is_enabled
-  policy                             = data.aws_iam_policy_document.rds.json
+  policy                             = data.aws_iam_policy_document.database.json
   deletion_window_in_days            = var.deletion_window_in_days
   customer_master_key_spec           = "SYMMETRIC_DEFAULT"
   key_usage                          = "ENCRYPT_DECRYPT"
@@ -266,7 +266,7 @@ data "aws_iam_policy_document" "storage" {
   }
 }
 
-data "aws_iam_policy_document" "rds" {
+data "aws_iam_policy_document" "database" {
   source_policy_documents = [data.aws_iam_policy_document.base.json]
   statement {
     sid    = "Allow use by AWS services"
@@ -280,7 +280,8 @@ data "aws_iam_policy_document" "rds" {
       "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
-      "kms:Describe*"
+      "kms:Describe*",
+      "kms:CreateGrant"
     ]
     resources = ["*"]
     condition {
@@ -288,7 +289,8 @@ data "aws_iam_policy_document" "rds" {
       values = [
         "rds.*.amazonaws.com",
         "elasticache.*.amazonaws.com",
-        "dax.*.amazonaws.com"
+        "dax.*.amazonaws.com",
+        "dynamodb.*.amazonaws.com"
       ]
       variable = "kms:ViaService"
     }