From fa2c0782362a28ffd67b47cd3c0c5a3c98e3f74d Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Tue, 20 Feb 2024 15:06:28 -0800
Subject: [PATCH] allow CloudFront logging to access KMS key

CloudFront doesn't appear to (currently) set SSE/KMS parameters on its
access log write requests to S3, so a deny policy prevents logs from being
written, even though encryption would happen regardless.
---
 security/kms-key.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/security/kms-key.yaml b/security/kms-key.yaml
index c7ced7dfe..f9e48a8e8 100644
--- a/security/kms-key.yaml
+++ b/security/kms-key.yaml
@@ -62,6 +62,7 @@ Parameters:
     - workspaces
     - dnssec-route53 # Deprecated since v13. Will be removed in v15. Use ROUTE53_DNSSEC instead.
     - cloudtrail
+    - cloudfront-logs
     Default: ALL_SERVICES
   KeySpec:
     Description: 'Specify the type of the CMK.'
@@ -89,6 +90,7 @@ Conditions:
   HasServiceS3PublicAccess: !Equals [!Ref Service, 'S3_PUBLIC_ACCESS']
   HasServiceRoute53Dnssec: !Or [!Equals [!Ref Service, 'ROUTE53_DNSSEC'], !Equals [!Ref Service, 'dnssec-route53']]
   HasServiceCloudFront: !Equals [!Ref Service, 'CLOUDFRONT']
+  HasServiceCloudFrontLogs: !Equals [!Ref Service, 'cloudfront-logs']
   HasServiceCloudTrail: !Equals [!Ref Service, 'CLOUDTRAIL']
   HasService: !Not [!Or [!Condition HasServiceAllServices, !Condition HasServiceS3PublicAccess, !Condition HasServiceRoute53Dnssec, !Condition HasServiceCloudFront, !Condition HasServiceCloudTrail]]
   HasSymmetricKey: !Equals [!Ref KeySpec, 'SYMMETRIC_DEFAULT']
@@ -205,6 +207,16 @@ Resources:
               StringLike:
                 'aws:SourceArn': !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/*'
           - !Ref 'AWS::NoValue'
+        - !If
+          - HasServiceCloudFrontLogs
+          - Effect: Allow # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsKMSPermissions
+            Principal:
+              Service: 'delivery.logs.amazonaws.com'
+            Action:
+            - 'kms:GenerateDataKey*'
+            - 'kms:Decrypt'
+            Resource: '*'
+          - !Ref 'AWS::NoValue'
   KeyAlias:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain