-
Notifications
You must be signed in to change notification settings - Fork 1
/
kms.tf
68 lines (62 loc) · 1.85 KB
/
kms.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
resource "aws_kms_key" "nfw_key" {
provider = aws.mgmt
description = "AWS Secrets Manager key for ${var.resource_prefix}"
policy = data.aws_iam_policy_document.nfw_kms_policy.json
enable_key_rotation = true
}
resource "aws_kms_alias" "nfw_alias" {
provider = aws.mgmt
name = "alias/${var.resource_prefix}-secrets-manager"
target_key_id = aws_kms_key.nfw_key.key_id
}
data "aws_iam_policy_document" "nfw_kms_policy" {
provider = aws.mgmt
#checkov:skip=CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
#checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
# https://docs.aws.amazon.com/network-firewall/latest/developerguide/kms-encryption-at-rest.html
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
actions = ["kms:*"]
principals {
identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"]
type = "AWS"
}
resources = ["*"]
}
statement {
sid = "Allow use of the key"
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
principals {
identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"]
type = "AWS"
}
resources = ["*"]
}
statement {
sid = "Allow attachment of persistent resources"
effect = "Allow"
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
principals {
identifiers = ["arn:${local.partition}:iam::${local.account_id}:root"]
type = "AWS"
}
resources = ["*"]
condition {
test = "Bool"
variable = "kms:GrantIsForAWSResource"
values = [true]
}
}
}