From 89069b105b315ed6923607a3ac23b159d1afe3d7e5a87dec1574c5e2d57e949f Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Wed, 25 Feb 2026 13:23:14 +0800
Subject: [PATCH] feat: updated cmk policies with regards to key grants

---
 .../CustomerManagedKmsKeys/main.tf            | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
index a3fe6a5..c84ca21 100644
--- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
@@ -236,6 +236,26 @@ data "aws_iam_policy_document" "storage" {
     ]
     resources = ["*"]
   }
+
+  statement {
+    sid    = "AllowAttachmentOfPersistentResources"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Bool"
+      values   = ["true"]
+      variable = "kms:GrantIsForAWSResource"
+    }
+  }
 }
 
 data "aws_iam_policy_document" "rds" {
@@ -265,6 +285,26 @@ data "aws_iam_policy_document" "rds" {
       variable = "kms:ViaService"
     }
   }
+
+  statement {
+    sid    = "AllowAttachmentOfPersistentResources"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Bool"
+      values   = ["true"]
+      variable = "kms:GrantIsForAWSResource"
+    }
+  }
 }
 
 data "aws_iam_role" "asg-service-linked-role" {