From 4d718e8d0fe40cae58ea41ca9e0f0225123bb31b Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Tue, 16 Jan 2024 15:37:03 +0000 Subject: [PATCH] Allow Slack Alerts KMS encrypt on Slack Alerts CMK * `events.amazonaws.com` needs permission to use the KMS CMK to encrypt data through to the SNS topic, when sending messages from CloudWatch --- cloudwatch-slack-alerts-sns.tf | 5 +++++ .../service-allow-encrypt.json.tpl | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 policies/kms-key-policy-statements/service-allow-encrypt.json.tpl diff --git a/cloudwatch-slack-alerts-sns.tf b/cloudwatch-slack-alerts-sns.tf index bac1fec..0a6b991 100644 --- a/cloudwatch-slack-alerts-sns.tf +++ b/cloudwatch-slack-alerts-sns.tf @@ -23,6 +23,11 @@ resource "aws_kms_key" "cloudwatch_slack_alerts" { { log_group_arn = "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:/aws/lambda/${local.project_name}-cloudwatch-to-slack" } + )}, + ${templatefile("${path.root}/policies/kms-key-policy-statements/service-allow-encrypt.json.tpl", + { + services = jsonencode(["events.amazonaws.com"]) + } )} ] EOT diff --git a/policies/kms-key-policy-statements/service-allow-encrypt.json.tpl b/policies/kms-key-policy-statements/service-allow-encrypt.json.tpl new file mode 100644 index 0000000..f08e624 --- /dev/null +++ b/policies/kms-key-policy-statements/service-allow-encrypt.json.tpl @@ -0,0 +1,11 @@ +{ + "Effect": "Allow", + "Principal": { + "Service": ${services} + }, + "Action": [ + "kms:GenerateDataKey*", + "kms:Decrypt" + ], + "Resource": "*" +}