eli-285 and 349 adding kms for sns, checkov skip for disabled alarms

eddalmond1 · eddalmond1 · commit 1ad50a965cd7 · 2025-08-05T17:08:11.000+01:00
diff --git a/infrastructure/stacks/api-layer/cloudwatch_alarms.tf b/infrastructure/stacks/api-layer/cloudwatch_alarms.tf
@@ -299,15 +299,30 @@ locals {
 resource "aws_sns_topic" "cloudwatch_alarms" {
   name = "cloudwatch-security-alarms"
 
+  kms_master_key_id = aws_kms_key.sns_encryption_key.id
+
   tags = {
     Environment = var.environment
     Purpose     = "security-alerting"
     ManagedBy   = "terraform"
   }
 }
 
+resource "aws_kms_key" "sns_encryption_key" {
+  description             = "KMS key for encrypting CloudWatch alarms SNS topic"
+  deletion_window_in_days = 7
+
+  tags = {
+    Name        = "cloudwatch-alarms-sns-encryption-key"
+    Environment = var.environment
+    Purpose     = "sns-encryption"
+    ManagedBy   = "terraform"
+  }
+}
+
 # Security Alarms (CloudTrail-based)
 resource "aws_cloudwatch_metric_alarm" "cloudtrail_custom_metric_alarms" {
+  # checkov:skip=CKV_AWS_319: Disabling some alarms until service is live
   for_each = local.cloudwatch_alarm_config
 
   alarm_name          = "SecurityAlert-${each.key}"
@@ -337,6 +352,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_custom_metric_alarms" {
 
 # API Gateway CloudWatch Alarms
 resource "aws_cloudwatch_metric_alarm" "api_gateway_alarms" {
+  # checkov:skip=CKV_AWS_319: Disabling some alarms until service is live
   for_each = local.api_gateway_alarm_config
 
   alarm_name          = "APIGateway-${each.key}"
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -358,3 +358,52 @@ resource "aws_iam_role_policy" "lambda_xray_tracing_policy" {
   role   = aws_iam_role.eligibility_lambda_role.id
   policy = data.aws_iam_policy_document.lambda_xray_tracing_permissions_policy.json
 }
+
+# KMS Key Policy for SNS encryption
+resource "aws_kms_key_policy" "sns_encryption_key_policy" {
+  key_id = aws_kms_key.sns_encryption_key.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "EnableIAMRootPermissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowCloudWatchAlarmsAccess"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudwatch.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowSNSServiceAccess"
+        Effect = "Allow"
+        Principal = {
+          Service = "sns.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
