Fix KMS and S3 policies

* `jsonencode`s the s3 log bucket source arns * Correctly formats `service-allow-decrypt.json.tpl` * Uses the key arn rather than alias for cloudtrail * Replaces the key arn with a wildcard, as ARNs can't contain wildcards * Corrects the logs service name * Adds the aws account ID to the logs bucket, so that it is globally unique
dxw · Oct 27, 2023 · 3d8125a · 3d8125a
1 parent 6a0d102
commit 3d8125a
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/cloudtrail.tf b/cloudtrail.tf
@@ -28,7 +28,7 @@ resource "aws_kms_key" "cloudtrail_cloudwatch_logs" {
       ${templatefile("${path.root}/policies/kms-key-policy-statements/service-describe-key.json.tpl",
       {
         services   = jsonencode(["cloudtrail.amazonaws.com"])
-        key_arn    = "arn:aws:kms:${local.aws_region}:${local.aws_account_id}:key/*"
+        key_arn    = "*"
         source_arn = "arn:aws:cloudtrail:${local.aws_region}:${local.aws_account_id}:trail/${local.project_name}"
       }
       )},
@@ -55,7 +55,7 @@ resource "aws_cloudwatch_log_group" "cloudtrail" {
 
   name              = "${local.project_name}-cloudtrail"
   retention_in_days = local.cloudtrail_log_retention
-  kms_key_id        = local.cloudtrail_kms_encryption ? aws_kms_alias.cloudtrail_cloudwatch_logs[0].name : null
+  kms_key_id        = local.cloudtrail_kms_encryption ? aws_kms_key.cloudtrail_cloudwatch_logs[0].arn : null
   skip_destroy      = true
 }
 
@@ -99,7 +99,7 @@ resource "aws_cloudtrail" "cloudtrail" {
   cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail_cloudwatch_logs[0].arn
   cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.cloudtrail[0].arn}:*"
   enable_log_file_validation    = true
-  kms_key_id                    = local.cloudtrail_kms_encryption ? aws_kms_alias.cloudtrail_cloudwatch_logs[0].name : null
+  kms_key_id                    = local.cloudtrail_kms_encryption ? aws_kms_key.cloudtrail_cloudwatch_logs[0].arn : null
 
   depends_on = [
     aws_s3_bucket_policy.cloudtrail

diff --git a/policies/kms-key-policy-statements/cloudwatch-logs-allow.json.tpl b/policies/kms-key-policy-statements/cloudwatch-logs-allow.json.tpl
@@ -1,7 +1,7 @@
 {
   "Effect": "Allow",
   "Principal": {
-    "Service": "logs.region.amazonaws.com"
+    "Service": "logs.amazonaws.com"
   },
   "Action": [
     "kms:Encrypt*",

diff --git a/policies/kms-key-policy-statements/service-allow-decrypt.json.tpl b/policies/kms-key-policy-statements/service-allow-decrypt.json.tpl
@@ -1,7 +1,7 @@
 {
   "Effect": "Allow",
   "Principal": {
-    Service": ${services}
+    "Service": ${services}
   },
   "Action": "kms:Decrypt",
   "Resource": "*"

diff --git a/s3-logs.tf b/s3-logs.tf
@@ -3,7 +3,7 @@
 resource "aws_s3_bucket" "logs" {
   count = local.enable_logs_bucket ? 1 : 0
 
-  bucket = "${local.project_name}-logs"
+  bucket = "${local.aws_account_id}-${local.aws_region}-${local.project_name}-logs"
 }
 
 resource "aws_s3_bucket_policy" "logs" {
@@ -18,7 +18,7 @@ resource "aws_s3_bucket_policy" "logs" {
       ${templatefile("${path.root}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl", { bucket_arn = aws_s3_bucket.logs[0].arn })},
       ${templatefile("${path.root}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl", {
       log_bucket_arn     = aws_s3_bucket.logs[0].arn
-      source_bucket_arns = local.logs_bucket_source_arns
+      source_bucket_arns = jsonencode(local.logs_bucket_source_arns)
       account_id         = local.aws_account_id
 })}
       ]