Skip to content

Commit 282d0df

Browse files
KarthikeyannhsKarthikeyannhs
committed
kms encryption 🔐 for firehose & cleanup 🧹
1 parent abaee26 commit 282d0df

10 files changed

Lines changed: 228 additions & 148 deletions

File tree

infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
1010
buffering_interval = 60
1111
compression_format = "UNCOMPRESSED"
1212

13+
kms_key_arn = aws_kms_key.firehose_key.arn
14+
1315
cloudwatch_logging_options {
1416
enabled = true
1517
log_group_name = var.kinesis_cloud_watch_log_group_name

infrastructure/modules/kinesis_firehose/kms.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
resource "aws_kms_key" "firehose_key" {
2+
description = "KMS key for Kinesis Firehose encryption"
3+
deletion_window_in_days = 7
4+
enable_key_rotation = true
5+
}
6+
7+
8+
resource "aws_kms_alias" "firehose_key_alias" {
9+
name = "alias/kinesis-firehose-${var.environment}"
10+
target_key_id = aws_kms_key.firehose_key.key_id
11+
}
12+

infrastructure/modules/kinesis_firehose/outputs.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
11
output "firehose_stream_name" {
22
value = aws_kinesis_firehose_delivery_stream.eligibility_audit_firehose_delivery_stream.name
33
}
4+
5+
output "kinesis_firehose_kms_key_arn" {
6+
value = aws_kms_key.firehose_key.arn
7+
}
8+
9+
output "kinesis_firehose_kms_key_id" {
10+
value = aws_kms_key.firehose_key.id
11+
}

infrastructure/stacks/api-layer/api_gateway.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,9 @@ resource "aws_api_gateway_deployment" "eligibility_signposting_api" {
4646
resource "aws_api_gateway_stage" "eligibility-signposting-api" {
4747
#checkov:skip=CKV2_AWS_51: mTLS is enforced at the custom domain, not at the stage level
4848
#checkov:skip=CKV_AWS_120: We're not enabling caching for this API Gateway, yet
49-
deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
50-
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
51-
stage_name = "${local.workspace}-eligibility-signposting-api-live"
49+
deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
50+
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
51+
stage_name = "${local.workspace}-eligibility-signposting-api-live"
5252
xray_tracing_enabled = true
5353

5454
access_log_settings {

infrastructure/stacks/api-layer/cloudwatch_metrics.tf

Lines changed: 116 additions & 116 deletions
Original file line numberDiff line numberDiff line change
@@ -1,120 +1,120 @@
11
locals {
2-
cloudtrail_custom_metrics = [
3-
{
4-
name = "UnauthorizedApiCalls"
5-
namespace = "security"
6-
filter = "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}"
7-
log_group_name = "NHSDAudit_trail_log_group"
8-
},
9-
{
10-
name = "ConsoleAuthenticationFailures"
11-
namespace = "security"
12-
filter = "{($.eventName=ConsoleLogin) && ($.errorMessage=\"Failed authentication\")}"
13-
log_group_name = "NHSDAudit_trail_log_group"
14-
},
15-
{
16-
name = "CloudTrailConfigChanges"
17-
namespace = "security"
18-
filter = "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}"
19-
log_group_name = "NHSDAudit_trail_log_group"
20-
},
21-
{
22-
name = "VPCChanges"
23-
namespace = "security"
24-
filter = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
25-
log_group_name = "NHSDAudit_trail_log_group"
26-
},
27-
{
28-
name = "AWSConfigChanges"
29-
namespace = "security"
30-
filter = "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}"
31-
log_group_name = "NHSDAudit_trail_log_group"
32-
},
33-
{
34-
name = "ModificationOfCMKs"
35-
namespace = "security"
36-
filter = "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}"
37-
log_group_name = "NHSDAudit_trail_log_group"
38-
},
39-
{
40-
name = "UnsuccessfulSwitchRole"
41-
namespace = "security"
42-
filter = "{ ( $.eventName = SwitchRole && $.responseElements.SwitchRole = Failure ) }"
43-
log_group_name = "NHSDAudit_trail_log_group"
44-
},
45-
{
46-
name = "ConsoleLoginNoMFA"
47-
namespace = "security"
48-
filter = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }"
49-
log_group_name = "NHSDAudit_trail_log_group"
50-
},
51-
{
52-
name = "RootAccountUsage"
53-
namespace = "security"
54-
filter = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !=\"AwsServiceEvent\"}"
55-
log_group_name = "NHSDAudit_trail_log_group"
56-
},
57-
{
58-
name = "SecurityGroupChange"
59-
namespace = "security"
60-
filter = "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}"
61-
log_group_name = "NHSDAudit_trail_log_group"
62-
},
63-
{
64-
name = "RouteTableChanges"
65-
namespace = "security"
66-
filter = "{($.eventSource=ec2.amazonaws.com) && (($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable))}"
67-
log_group_name = "NHSDAudit_trail_log_group"
68-
},
69-
{
70-
name = "IAMPolicyChanges"
71-
namespace = "security"
72-
filter = "{($.eventSource=iam.amazonaws.com) && (($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy))}"
73-
log_group_name = "NHSDAudit_trail_log_group"
74-
},
75-
{
76-
name = "s3BucketPolicyChanges"
77-
namespace = "security"
78-
filter = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}"
79-
log_group_name = "NHSDAudit_trail_log_group"
80-
},
81-
{
82-
name = "ChangesToNetworkGateways"
83-
namespace = "security"
84-
filter = "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}"
85-
log_group_name = "NHSDAudit_trail_log_group"
86-
},
87-
{
88-
name = "ChangesToNACLs"
89-
namespace = "security"
90-
filter = "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}"
91-
log_group_name = "NHSDAudit_trail_log_group"
92-
},
93-
{
94-
name = "KMSKeyPolicyChanges"
95-
namespace = "security"
96-
filter = "{($.eventSource=kms.amazonaws.com) && (($.eventName=PutKeyPolicy) || ($.eventName=DeleteKeyPolicy))}"
97-
log_group_name = "NHSDAudit_trail_log_group"
98-
},
99-
{
100-
name = "s3PublicAccessChanges"
101-
namespace = "security"
102-
filter = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutObjectAcl))}"
103-
log_group_name = "NHSDAudit_trail_log_group"
104-
},
105-
{
106-
name = "CloudWatchAlarmChanges"
107-
namespace = "security"
108-
filter = "{($.eventSource=cloudwatch.amazonaws.com) && (($.eventName=PutMetricAlarm) || ($.eventName=DeleteAlarms) || ($.eventName=SetAlarmState))}"
109-
log_group_name = "NHSDAudit_trail_log_group"
110-
},
111-
{
112-
name = "LambdaFunctionChanges"
113-
namespace = "security"
114-
filter = "{($.eventSource=lambda.amazonaws.com) && (($.eventName=CreateFunction20150331) || ($.eventName=DeleteFunction20150331) || ($.eventName=UpdateFunctionCode20150331) || ($.eventName=UpdateFunctionConfiguration20150331))}"
115-
log_group_name = "NHSDAudit_trail_log_group"
116-
},
117-
]
2+
cloudtrail_custom_metrics = [
3+
{
4+
name = "UnauthorizedApiCalls"
5+
namespace = "security"
6+
filter = "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}"
7+
log_group_name = "NHSDAudit_trail_log_group"
8+
},
9+
{
10+
name = "ConsoleAuthenticationFailures"
11+
namespace = "security"
12+
filter = "{($.eventName=ConsoleLogin) && ($.errorMessage=\"Failed authentication\")}"
13+
log_group_name = "NHSDAudit_trail_log_group"
14+
},
15+
{
16+
name = "CloudTrailConfigChanges"
17+
namespace = "security"
18+
filter = "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}"
19+
log_group_name = "NHSDAudit_trail_log_group"
20+
},
21+
{
22+
name = "VPCChanges"
23+
namespace = "security"
24+
filter = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
25+
log_group_name = "NHSDAudit_trail_log_group"
26+
},
27+
{
28+
name = "AWSConfigChanges"
29+
namespace = "security"
30+
filter = "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}"
31+
log_group_name = "NHSDAudit_trail_log_group"
32+
},
33+
{
34+
name = "ModificationOfCMKs"
35+
namespace = "security"
36+
filter = "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}"
37+
log_group_name = "NHSDAudit_trail_log_group"
38+
},
39+
{
40+
name = "UnsuccessfulSwitchRole"
41+
namespace = "security"
42+
filter = "{ ( $.eventName = SwitchRole && $.responseElements.SwitchRole = Failure ) }"
43+
log_group_name = "NHSDAudit_trail_log_group"
44+
},
45+
{
46+
name = "ConsoleLoginNoMFA"
47+
namespace = "security"
48+
filter = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }"
49+
log_group_name = "NHSDAudit_trail_log_group"
50+
},
51+
{
52+
name = "RootAccountUsage"
53+
namespace = "security"
54+
filter = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !=\"AwsServiceEvent\"}"
55+
log_group_name = "NHSDAudit_trail_log_group"
56+
},
57+
{
58+
name = "SecurityGroupChange"
59+
namespace = "security"
60+
filter = "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}"
61+
log_group_name = "NHSDAudit_trail_log_group"
62+
},
63+
{
64+
name = "RouteTableChanges"
65+
namespace = "security"
66+
filter = "{($.eventSource=ec2.amazonaws.com) && (($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable))}"
67+
log_group_name = "NHSDAudit_trail_log_group"
68+
},
69+
{
70+
name = "IAMPolicyChanges"
71+
namespace = "security"
72+
filter = "{($.eventSource=iam.amazonaws.com) && (($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy))}"
73+
log_group_name = "NHSDAudit_trail_log_group"
74+
},
75+
{
76+
name = "s3BucketPolicyChanges"
77+
namespace = "security"
78+
filter = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}"
79+
log_group_name = "NHSDAudit_trail_log_group"
80+
},
81+
{
82+
name = "ChangesToNetworkGateways"
83+
namespace = "security"
84+
filter = "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}"
85+
log_group_name = "NHSDAudit_trail_log_group"
86+
},
87+
{
88+
name = "ChangesToNACLs"
89+
namespace = "security"
90+
filter = "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}"
91+
log_group_name = "NHSDAudit_trail_log_group"
92+
},
93+
{
94+
name = "KMSKeyPolicyChanges"
95+
namespace = "security"
96+
filter = "{($.eventSource=kms.amazonaws.com) && (($.eventName=PutKeyPolicy) || ($.eventName=DeleteKeyPolicy))}"
97+
log_group_name = "NHSDAudit_trail_log_group"
98+
},
99+
{
100+
name = "s3PublicAccessChanges"
101+
namespace = "security"
102+
filter = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutObjectAcl))}"
103+
log_group_name = "NHSDAudit_trail_log_group"
104+
},
105+
{
106+
name = "CloudWatchAlarmChanges"
107+
namespace = "security"
108+
filter = "{($.eventSource=cloudwatch.amazonaws.com) && (($.eventName=PutMetricAlarm) || ($.eventName=DeleteAlarms) || ($.eventName=SetAlarmState))}"
109+
log_group_name = "NHSDAudit_trail_log_group"
110+
},
111+
{
112+
name = "LambdaFunctionChanges"
113+
namespace = "security"
114+
filter = "{($.eventSource=lambda.amazonaws.com) && (($.eventName=CreateFunction20150331) || ($.eventName=DeleteFunction20150331) || ($.eventName=UpdateFunctionCode20150331) || ($.eventName=UpdateFunctionConfiguration20150331))}"
115+
log_group_name = "NHSDAudit_trail_log_group"
116+
},
117+
]
118118
}
119119

120120
resource "aws_cloudwatch_log_metric_filter" "cloudtrail_custom_metrics" {

infrastructure/stacks/api-layer/data.tf

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
data "aws_caller_identity" "current" {}
22

33
data "aws_acm_certificate" "imported_cert" {
4-
domain = "${var.environment}.${local.api_domain_name}"
5-
types = ["IMPORTED"]
6-
provider = aws.eu-west-2
7-
key_types = ["RSA_4096"]
4+
domain = "${var.environment}.${local.api_domain_name}"
5+
types = ["IMPORTED"]
6+
provider = aws.eu-west-2
7+
key_types = ["RSA_4096"]
88
}
99

1010
data "aws_acm_certificate" "validation_cert" {
@@ -20,11 +20,11 @@ data "aws_kms_alias" "networking_ssm_key" {
2020
}
2121

2222
data "aws_ssm_parameter" "mtls_api_client_cert" {
23-
name = "/${var.environment}/mtls/api_client_cert"
23+
name = "/${var.environment}/mtls/api_client_cert"
2424
with_decryption = true
2525
}
2626

2727
data "aws_ssm_parameter" "mtls_api_ca_cert" {
28-
name = "/${var.environment}/mtls/api_ca_cert"
28+
name = "/${var.environment}/mtls/api_ca_cert"
2929
with_decryption = true
3030
}

infrastructure/stacks/api-layer/iam_policies.tf

Lines changed: 61 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -65,8 +65,8 @@ resource "aws_iam_role_policy" "kinesis_firehose_s3_write_policy" {
6565

6666
# Policy doc for firehose logging
6767
resource "aws_iam_role_policy" "kinesis_firehose_logs_policy" {
68-
name = "CloudWatchLogsAccess"
69-
role = aws_iam_role.eligibility_audit_firehose_role.id
68+
name = "CloudWatchLogsAccess"
69+
role = aws_iam_role.eligibility_audit_firehose_role.id
7070

7171
policy = jsonencode({
7272
Version = "2012-10-17",
@@ -210,7 +210,7 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
210210
type = "AWS"
211211
identifiers = [aws_iam_role.eligibility_lambda_role.arn, aws_iam_role.eligibility_audit_firehose_role.arn]
212212
}
213-
actions = [
213+
actions = [
214214
"kms:Decrypt",
215215
"kms:Encrypt",
216216
"kms:GenerateDataKey",
@@ -244,3 +244,61 @@ resource "aws_iam_role_policy" "lambda_firehose_policy" {
244244
role = aws_iam_role.eligibility_lambda_role.id
245245
policy = data.aws_iam_policy_document.lambda_firehose_write_policy.json
246246
}
247+
248+
249+
data "aws_iam_policy_document" "firehose_kms_key_policy" {
250+
statement {
251+
sid = "EnableRootUserPermissions"
252+
effect = "Allow"
253+
254+
principals {
255+
type = "AWS"
256+
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
257+
}
258+
259+
actions = ["kms:*"]
260+
resources = ["*"]
261+
}
262+
263+
# Your existing statements below...
264+
statement {
265+
sid = "AllowFirehoseAccess"
266+
effect = "Allow"
267+
principals {
268+
type = "Service"
269+
identifiers = ["firehose.amazonaws.com"]
270+
}
271+
actions = [
272+
"kms:Encrypt",
273+
"kms:Decrypt",
274+
"kms:GenerateDataKey*",
275+
"kms:DescribeKey"
276+
]
277+
resources = [module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_kms_key_arn]
278+
}
279+
280+
statement {
281+
sid = "AllowFirehoseRoleUsage"
282+
effect = "Allow"
283+
principals {
284+
type = "AWS"
285+
identifiers = [aws_iam_role.eligibility_audit_firehose_role.arn]
286+
}
287+
actions = [
288+
"kms:Encrypt",
289+
"kms:Decrypt",
290+
"kms:GenerateDataKey*",
291+
"kms:DescribeKey"
292+
]
293+
resources = [module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_kms_key_arn]
294+
}
295+
}
296+
297+
resource "aws_kms_key_policy" "firehose_key_policy" {
298+
key_id = module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_kms_key_id
299+
policy = data.aws_iam_policy_document.firehose_kms_key_policy.json
300+
}
301+
302+
303+
304+

0 commit comments

Comments
 (0)