Allow scanning volumes with customer-managed-key (#139)

jinroh · web-flow · commit 5c88b5f2a1f9 · 2024-09-03T11:48:25.000+02:00
We need to be able to read and copy from snapshots originating from CreateSnapshot. When reaching for these snapshots the kms:EncryptionContext for key aws:ebs:id is the originating volume. reference: https://github.com/awsdocs/aws-kms-developer-guide/blob/master/doc_source/services-ebs.md#amazon-ebs-encryption-context
diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
@@ -205,19 +205,13 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"
@@ -378,19 +372,13 @@ data "aws_iam_policy_document" "scanning_worker_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"
