Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

logs encrypted with other aws account cmk #240

Open
hansadriaans opened this issue Feb 21, 2023 · 0 comments · May be fixed by #245
Open

logs encrypted with other aws account cmk #240

hansadriaans opened this issue Feb 21, 2023 · 0 comments · May be fixed by #245

Comments

@hansadriaans
Copy link

hansadriaans commented Feb 21, 2023

Describe the bug
Working with organizations using multiple accounts, I created a bucket in the main control account. This is for logging al cloudwatch logs. However every file logged has it's own cmk that is not accessible from the main account

To Reproduce
Steps to reproduce the behavior:

  1. deploy resource "aws_kms_key" "cloudtrail"
  2. the files will show in the selected bucket on the cotrol account
  3. inside the control account the files are not accessible because the cmk is not accessible in the client account

Expected behavior
I wan't to read the files in the shared account

Code Snippet

statement {
   sid    = "Enable cross account log decryption"
   effect = "Allow"

   actions = [
     "kms:Decrypt",
     "kms:ReEncryptFrom",
   ]

   principals {
     type        = "AWS"
     identifiers = ["*"]
   }

   condition {
     test     = "StringEquals"
     variable = "kms:CallerAccount"
     values   = [data.aws_caller_identity.current.account_id]
   }

   condition {
     test     = "StringLike"
     variable = "kms:EncryptionContext:aws:cloudtrail:arn"
     values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"]
   }

   resources = ["*"]
 }

Additional context
Changing

 condition {
      test     = "StringEquals"
      variable = "kms:CallerAccount"
      values   = [data.aws_caller_identity.current.account_id]
    }

into var.shared_account.account_id does work but tf corrects it every deploy

@DanielRussell DanielRussell linked a pull request May 9, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant