Merge pull request #176 from NHSDigital/bugfix/eja-eli-306-adding-kms-decrypt-for-lambda-rules-bucket

eddalmond1 · web-flow · commit a4c380fa79ac · 2025-06-20T10:34:30.000+01:00
Bugfix/eja eli 306 adding kms decrypt for lambda rules bucket
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -127,7 +127,10 @@ resource "aws_iam_role_policy" "external_s3_write_policy" {
 }
 
 ## KMS
-data "aws_iam_policy_document" "kms_key_policy" {
+data "aws_iam_policy_document" "dynamodb_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
   statement {
     sid    = "EnableIamUserPermissions"
     effect = "Allow"
@@ -136,55 +139,92 @@ data "aws_iam_policy_document" "kms_key_policy" {
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["kms:*"]
-    resources = [
-      module.eligibility_status_table.dynamodb_kms_key_arn,
-      module.s3_rules_bucket.storage_bucket_kms_key_arn,
-      module.s3_audit_bucket.storage_bucket_kms_key_arn,
-      module.eligibility_signposting_api_gateway.kms_key_arn,
+    resources = ["*"]
+  }
 
-    ]
+  statement {
+    sid    = "AllowLambdaDecrypt"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
   }
+}
+
+resource "aws_kms_key_policy" "dynamodb_kms_key" {
+  key_id = module.eligibility_status_table.dynamodb_kms_key_id
+  policy = data.aws_iam_policy_document.dynamodb_kms_key_policy.json
+}
+
+data "aws_iam_policy_document" "s3_rules_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
   statement {
-    sid    = "Allow lambda decrypt role"
+    sid    = "EnableIamUserPermissions"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        aws_iam_role.eligibility_lambda_role.arn
-      ]
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
-    actions = [
-      "kms:Decrypt"
-    ]
-    resources = [
-      module.eligibility_status_table.dynamodb_kms_key_arn,
-      module.s3_rules_bucket.storage_bucket_kms_key_arn,
-    ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid    = "Allow lambda full write role"
+    sid    = "AllowLambdaDecrypt"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        aws_iam_role.eligibility_lambda_role.arn
-      ]
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
     }
-    actions = [
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key_policy" "s3_rules_kms_key" {
+  key_id = module.s3_rules_bucket.storage_bucket_kms_key_arn
+  policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
+}
+
+data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowLambdaFullWrite"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions   = [
       "kms:Decrypt",
       "kms:Encrypt",
       "kms:GenerateDataKey",
       "kms:DescribeKey"
     ]
-    resources = [
-      module.s3_audit_bucket.storage_bucket_kms_key_arn
-    ]
+    resources = ["*"]
   }
 }
 
-# attach kms decrypt policy kms key
-resource "aws_kms_key_policy" "kms_key" {
-  key_id = module.eligibility_status_table.dynamodb_kms_key_id
-  policy = data.aws_iam_policy_document.kms_key_policy.json
+resource "aws_kms_key_policy" "s3_audit_kms_key" {
+  key_id = module.s3_audit_bucket.storage_bucket_kms_key_arn
+  policy = data.aws_iam_policy_document.s3_audit_kms_key_policy.json
 }
