bug: encrypt the audit manager reports bucket using KMS (#208)

bug: encrypt the audit manager reports bucket using KMS
schubergphilis · Aug 12, 2024 · a53318e · a53318e
1 parent 600b924
commit a53318e
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -440,15 +440,15 @@ module "landing_zone" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_audit_manager_reports"></a> [audit\_manager\_reports](#module\_audit\_manager\_reports) | schubergphilis/mcaf-s3/aws | 0.12.1 |
+| <a name="module_audit_manager_reports"></a> [audit\_manager\_reports](#module\_audit\_manager\_reports) | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
 | <a name="module_aws_config_s3"></a> [aws\_config\_s3](#module\_aws\_config\_s3) | github.com/schubergphilis/terraform-aws-mcaf-s3 | v0.8.0 |
 | <a name="module_aws_sso_permission_sets"></a> [aws\_sso\_permission\_sets](#module\_aws\_sso\_permission\_sets) | ./modules/permission-set | n/a |
 | <a name="module_datadog_audit"></a> [datadog\_audit](#module\_datadog\_audit) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
 | <a name="module_datadog_logging"></a> [datadog\_logging](#module\_datadog\_logging) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
 | <a name="module_datadog_master"></a> [datadog\_master](#module\_datadog\_master) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
-| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
-| <a name="module_kms_key_audit"></a> [kms\_key\_audit](#module\_kms\_key\_audit) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
-| <a name="module_kms_key_logging"></a> [kms\_key\_logging](#module\_kms\_key\_logging) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
+| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
+| <a name="module_kms_key_audit"></a> [kms\_key\_audit](#module\_kms\_key\_audit) | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
+| <a name="module_kms_key_logging"></a> [kms\_key\_logging](#module\_kms\_key\_logging) | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
 | <a name="module_ses-root-accounts-mail-alias"></a> [ses-root-accounts-mail-alias](#module\_ses-root-accounts-mail-alias) | github.com/schubergphilis/terraform-aws-mcaf-ses | v0.1.3 |
 | <a name="module_ses-root-accounts-mail-forward"></a> [ses-root-accounts-mail-forward](#module\_ses-root-accounts-mail-forward) | github.com/schubergphilis/terraform-aws-mcaf-ses-forwarder | v0.2.5 |
 | <a name="module_tag_policy_assignment"></a> [tag\_policy\_assignment](#module\_tag\_policy\_assignment) | ./modules/tag-policy-assignment | n/a |

diff --git a/audit_manager.tf b/audit_manager.tf
@@ -10,8 +10,10 @@ module "audit_manager_reports" {
   count     = var.aws_auditmanager.enabled == true ? 1 : 0
   providers = { aws = aws.audit }
 
-  source      = "schubergphilis/mcaf-s3/aws"
-  version     = "0.12.1"
+  source  = "schubergphilis/mcaf-s3/aws"
+  version = "~> 0.14.1"
+
+  kms_key_arn = module.kms_key_audit.arn
   name_prefix = var.aws_auditmanager.reports_bucket_prefix
   versioning  = true
 

diff --git a/kms.tf b/kms.tf
@@ -1,6 +1,8 @@
 # Management Account
 module "kms_key" {
-  source              = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0"
+  source  = "schubergphilis/mcaf-kms/aws"
+  version = "~> 0.3.0"
+
   name                = "inception"
   description         = "KMS key used in the master account"
   enable_key_rotation = true
@@ -84,7 +86,9 @@ data "aws_iam_policy_document" "kms_key" {
 module "kms_key_audit" {
   providers = { aws = aws.audit }
 
-  source              = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0"
+  source  = "schubergphilis/mcaf-kms/aws"
+  version = "~> 0.3.0"
+
   name                = "audit"
   description         = "KMS key used for encrypting audit-related data"
   enable_key_rotation = true
@@ -228,13 +232,46 @@ data "aws_iam_policy_document" "kms_key_audit" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.aws_auditmanager.enabled ? ["allow_audit_manager"] : []
+    content {
+      sid       = "Encrypt and Decrypt permissions for S3"
+      effect    = "Allow"
+      resources = ["arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.management.account_id}:key/*"]
+
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*"
+      ]
+
+      principals {
+        type = "AWS"
+        identifiers = [
+          "arn:aws:iam::${data.aws_caller_identity.management.account_id}:root"
+        ]
+      }
+
+      condition {
+        test     = "StringLike"
+        variable = "kms:ViaService"
+        values = [
+          "s3.${data.aws_region.current.name}.amazonaws.com",
+        ]
+      }
+    }
+  }
 }
 
 # Logging Account
 module "kms_key_logging" {
   providers = { aws = aws.logging }
 
-  source              = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0"
+  source  = "schubergphilis/mcaf-kms/aws"
+  version = "~> 0.3.0"
+
   name                = "logging"
   description         = "KMS key to use with logging account"
   enable_key_rotation = true