Add kms policy for admins and cloudwatch

bcgov · Aug 26, 2024 · d706f02 · d706f02
1 parent f0b07bf
commit d706f02
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/infrastructure/cloud/modules/security/kms.tf b/infrastructure/cloud/modules/security/kms.tf
@@ -21,10 +21,24 @@ resource "aws_kms_alias" "kms_alias" {
 
 resource "aws_kms_key_policy" "kms_key_policy" {
   key_id = aws_kms_key.kms_key.id
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
+      # Allow full access to the key for administrators
+      {
+        Sid    = "EnableIAMUserPermissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+
+      # Allow CloudWatch Logs to use the key
       {
+        Sid    = "AllowCloudWatchLogsUsage"
         Effect = "Allow"
         Principal = {
           Service = "logs.amazonaws.com"