From 8185e13dc9e0d4fe1695c273322d58e1e9e9b93f Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Thu, 19 Jun 2025 12:01:28 +0100
Subject: [PATCH 1/3] eli-306 adding kms grant for lambda to decrypt s3

---
 infrastructure/stacks/api-layer/iam_policies.tf | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 5fa1f1415..92d96261a 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -135,7 +135,7 @@ data "aws_iam_policy_document" "kms_key_policy" {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
-    actions   = ["kms:*"]
+    actions = ["kms:*"]
     resources = [
       module.eligibility_status_table.dynamodb_kms_key_arn,
       module.s3_rules_bucket.storage_bucket_kms_key_arn,
@@ -178,7 +178,7 @@ data "aws_iam_policy_document" "kms_key_policy" {
       "kms:DescribeKey"
     ]
     resources = [
-      module.s3_audit_bucket.storage_bucket_kms_key_arn
+      module.s3_audit_bucket.storage_bucket_kms_key_arn,
     ]
   }
 }
@@ -188,3 +188,10 @@ resource "aws_kms_key_policy" "kms_key" {
   key_id = module.eligibility_status_table.dynamodb_kms_key_id
   policy = data.aws_iam_policy_document.kms_key_policy.json
 }
+
+resource "aws_kms_grant" "lambda_s3_decrypt" {
+  name              = "lambda-s3-decrypt"
+  key_id            = module.s3_rules_bucket.storage_bucket_kms_key_arn
+  grantee_principal = aws_iam_role.eligibility_lambda_role.arn
+  operations        = ["Decrypt"]
+}

From 0f6ebaa62c3cbee0029f206d7e8ea62db56fd203 Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Thu, 19 Jun 2025 12:23:46 +0100
Subject: [PATCH 2/3] eli-306 splitting out KMS policies for each s3 object +
 dynamo, for Lambda access

---
 .../stacks/api-layer/iam_policies.tf          | 103 +++++++++++-------
 1 file changed, 63 insertions(+), 40 deletions(-)

diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 92d96261a..9eeb5652e 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -127,7 +127,7 @@ resource "aws_iam_role_policy" "external_s3_write_policy" {
 }
 
 ## KMS
-data "aws_iam_policy_document" "kms_key_policy" {
+data "aws_iam_policy_document" "dynamodb_kms_key_policy" {
   statement {
     sid    = "EnableIamUserPermissions"
     effect = "Allow"
@@ -135,63 +135,86 @@ data "aws_iam_policy_document" "kms_key_policy" {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
-    actions = ["kms:*"]
-    resources = [
-      module.eligibility_status_table.dynamodb_kms_key_arn,
-      module.s3_rules_bucket.storage_bucket_kms_key_arn,
-      module.s3_audit_bucket.storage_bucket_kms_key_arn,
-      module.eligibility_signposting_api_gateway.kms_key_arn,
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
 
-    ]
+  statement {
+    sid    = "AllowLambdaDecrypt"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
   }
+}
+
+resource "aws_kms_key_policy" "dynamodb_kms_key" {
+  key_id = module.eligibility_status_table.dynamodb_kms_key_id
+  policy = data.aws_iam_policy_document.dynamodb_kms_key_policy.json
+}
+
+data "aws_iam_policy_document" "s3_rules_kms_key_policy" {
   statement {
-    sid    = "Allow lambda decrypt role"
+    sid    = "EnableIamUserPermissions"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        aws_iam_role.eligibility_lambda_role.arn
-      ]
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
-    actions = [
-      "kms:Decrypt"
-    ]
-    resources = [
-      module.eligibility_status_table.dynamodb_kms_key_arn,
-      module.s3_rules_bucket.storage_bucket_kms_key_arn,
-    ]
+    actions   = ["kms:*"]
+    resources = ["*"]
   }
 
   statement {
-    sid    = "Allow lambda full write role"
+    sid    = "AllowLambdaDecrypt"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        aws_iam_role.eligibility_lambda_role.arn
-      ]
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
     }
-    actions = [
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key_policy" "s3_rules_kms_key" {
+  key_id = module.s3_rules_bucket.storage_bucket_kms_key_arn
+  policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
+}
+
+data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowLambdaFullWrite"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions   = [
       "kms:Decrypt",
       "kms:Encrypt",
       "kms:GenerateDataKey",
       "kms:DescribeKey"
     ]
-    resources = [
-      module.s3_audit_bucket.storage_bucket_kms_key_arn,
-    ]
+    resources = ["*"]
   }
 }
 
-# attach kms decrypt policy kms key
-resource "aws_kms_key_policy" "kms_key" {
-  key_id = module.eligibility_status_table.dynamodb_kms_key_id
-  policy = data.aws_iam_policy_document.kms_key_policy.json
-}
-
-resource "aws_kms_grant" "lambda_s3_decrypt" {
-  name              = "lambda-s3-decrypt"
-  key_id            = module.s3_rules_bucket.storage_bucket_kms_key_arn
-  grantee_principal = aws_iam_role.eligibility_lambda_role.arn
-  operations        = ["Decrypt"]
+resource "aws_kms_key_policy" "s3_audit_kms_key" {
+  key_id = module.s3_audit_bucket.storage_bucket_kms_key_arn
+  policy = data.aws_iam_policy_document.s3_audit_kms_key_policy.json
 }

From 0eff677c82b4542c41e91952e3d8c15d3f2ad79d Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Thu, 19 Jun 2025 14:33:36 +0100
Subject: [PATCH 3/3] eli-306 adding checkov skips

---
 infrastructure/stacks/api-layer/iam_policies.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 9eeb5652e..338299b6d 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -128,6 +128,9 @@ resource "aws_iam_role_policy" "external_s3_write_policy" {
 
 ## KMS
 data "aws_iam_policy_document" "dynamodb_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
   statement {
     sid    = "EnableIamUserPermissions"
     effect = "Allow"
@@ -157,6 +160,9 @@ resource "aws_kms_key_policy" "dynamodb_kms_key" {
 }
 
 data "aws_iam_policy_document" "s3_rules_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
   statement {
     sid    = "EnableIamUserPermissions"
     effect = "Allow"
@@ -186,6 +192,10 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
 }
 
 data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+
   statement {
     sid    = "EnableIamUserPermissions"
     effect = "Allow"