You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 lines
3.2 KiB
HCL
103 lines
3.2 KiB
HCL
resource "aws_kms_key" "cloudtrail" {
|
|
description = var.prefix
|
|
enable_key_rotation = var.enable_key_rotation
|
|
tags = var.tags
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "Enable IAM User Permissions",
|
|
"Effect": "Allow",
|
|
"Principal": {"AWS": [
|
|
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
|
|
]},
|
|
"Action": "kms:*",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "Allow CloudTrail to encrypt logs",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": ["cloudtrail.amazonaws.com"]
|
|
},
|
|
"Action": "kms:GenerateDataKey*",
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringLike": {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Allow CloudTrail to describe keys",
|
|
"Effect": "Allow",
|
|
"Principal": {"Service": ["cloudtrail.amazonaws.com"]},
|
|
"Action": "kms:DescribeKey",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "Allow principals in the account to decrypt log files",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "*"
|
|
},
|
|
"Action": [
|
|
"kms:Decrypt",
|
|
"kms:ReEncryptFrom"
|
|
],
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
|
|
},
|
|
"StringLike": {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Allow alias creation during setup",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "*"
|
|
},
|
|
"Action": "kms:CreateAlias",
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"kms:ViaService": "ec2.region.amazonaws.com",
|
|
"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Enable cross account log decryption",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "*"
|
|
},
|
|
"Action": [
|
|
"kms:Decrypt",
|
|
"kms:ReEncryptFrom"
|
|
],
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
|
|
},
|
|
"StringLike": {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_kms_alias" "kms" {
|
|
name = "alias/${var.prefix}-cloudtrail"
|
|
target_key_id = aws_kms_key.cloudtrail.key_id
|
|
}
|