diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 5fa1f1415..338299b6d 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -127,7 +127,10 @@ resource "aws_iam_role_policy" "external_s3_write_policy" { } ## KMS -data "aws_iam_policy_document" "kms_key_policy" { +data "aws_iam_policy_document" "dynamodb_kms_key_policy" { + #checkov:skip=CKV_AWS_111: Root user needs full KMS key management + #checkov:skip=CKV_AWS_356: Root user needs full KMS key management + #checkov:skip=CKV_AWS_109: Root user needs full KMS key management statement { sid = "EnableIamUserPermissions" effect = "Allow" @@ -136,55 +139,92 @@ data "aws_iam_policy_document" "kms_key_policy" { identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } actions = ["kms:*"] - resources = [ - module.eligibility_status_table.dynamodb_kms_key_arn, - module.s3_rules_bucket.storage_bucket_kms_key_arn, - module.s3_audit_bucket.storage_bucket_kms_key_arn, - module.eligibility_signposting_api_gateway.kms_key_arn, + resources = ["*"] + } - ] + statement { + sid = "AllowLambdaDecrypt" + effect = "Allow" + principals { + type = "AWS" + identifiers = [aws_iam_role.eligibility_lambda_role.arn] + } + actions = ["kms:Decrypt"] + resources = ["*"] } +} + +resource "aws_kms_key_policy" "dynamodb_kms_key" { + key_id = module.eligibility_status_table.dynamodb_kms_key_id + policy = data.aws_iam_policy_document.dynamodb_kms_key_policy.json +} + +data "aws_iam_policy_document" "s3_rules_kms_key_policy" { + #checkov:skip=CKV_AWS_111: Root user needs full KMS key management + #checkov:skip=CKV_AWS_356: Root user needs full KMS key management + #checkov:skip=CKV_AWS_109: Root user needs full KMS key management statement { - sid = "Allow lambda decrypt role" + sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" - identifiers = [ - aws_iam_role.eligibility_lambda_role.arn - ] + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = [ - "kms:Decrypt" - ] - resources = [ - module.eligibility_status_table.dynamodb_kms_key_arn, - module.s3_rules_bucket.storage_bucket_kms_key_arn, - ] + actions = ["kms:*"] + resources = ["*"] } statement { - sid = "Allow lambda full write role" + sid = "AllowLambdaDecrypt" effect = "Allow" principals { - type = "AWS" - identifiers = [ - aws_iam_role.eligibility_lambda_role.arn - ] + type = "AWS" + identifiers = [aws_iam_role.eligibility_lambda_role.arn] } - actions = [ + actions = ["kms:Decrypt"] + resources = ["*"] + } +} + +resource "aws_kms_key_policy" "s3_rules_kms_key" { + key_id = module.s3_rules_bucket.storage_bucket_kms_key_arn + policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json +} + +data "aws_iam_policy_document" "s3_audit_kms_key_policy" { + #checkov:skip=CKV_AWS_111: Root user needs full KMS key management + #checkov:skip=CKV_AWS_356: Root user needs full KMS key management + #checkov:skip=CKV_AWS_109: Root user needs full KMS key management + + statement { + sid = "EnableIamUserPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["kms:*"] + resources = ["*"] + } + + statement { + sid = "AllowLambdaFullWrite" + effect = "Allow" + principals { + type = "AWS" + identifiers = [aws_iam_role.eligibility_lambda_role.arn] + } + actions = [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey" ] - resources = [ - module.s3_audit_bucket.storage_bucket_kms_key_arn - ] + resources = ["*"] } } -# attach kms decrypt policy kms key -resource "aws_kms_key_policy" "kms_key" { - key_id = module.eligibility_status_table.dynamodb_kms_key_id - policy = data.aws_iam_policy_document.kms_key_policy.json +resource "aws_kms_key_policy" "s3_audit_kms_key" { + key_id = module.s3_audit_bucket.storage_bucket_kms_key_arn + policy = data.aws_iam_policy_document.s3_audit_kms_key_policy.json }