Merge pull request #6407 from govuk-one-login/AUT-4213-update-dynamodb-table-kms-key-policy

monhaque · web-flow · commit 19a64c80b7b1 · 2025-05-08T10:54:02.000Z
AUT-4213: Auth AWS account permission on KMS key
diff --git a/ci/terraform/shared/kms.tf b/ci/terraform/shared/kms.tf
@@ -473,21 +473,12 @@ resource "aws_kms_key" "auth_code_store_signing_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "auth_code_store_signing_key_alias" {
+  name          = "alias/${var.environment}-auth-code-store-table-encryption-key"
+  target_key_id = aws_kms_key.auth_code_store_signing_key.key_id
 }
 
 # Authorization Token endpoint Signing KMS key
@@ -510,21 +501,12 @@ resource "aws_kms_key" "access_token_store_signing_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "access_token_store_signing_key_alias" {
+  name          = "alias/${var.environment}-access-token-store-table-encryption-key"
+  target_key_id = aws_kms_key.access_token_store_signing_key.key_id
 }
 
 resource "aws_kms_key" "bulk_email_users_encryption_key" {
@@ -533,21 +515,12 @@ resource "aws_kms_key" "bulk_email_users_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "bulk_email_users_encryption_key_alias" {
+  name          = "alias/${var.environment}-bulk-email-users-table-encryption-key"
+  target_key_id = aws_kms_key.bulk_email_users_encryption_key.key_id
 }
 
 resource "aws_kms_key" "account_modifiers_table_encryption_key" {
@@ -556,21 +529,12 @@ resource "aws_kms_key" "account_modifiers_table_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "account_modifiers_table_encryption_key_alias" {
+  name          = "alias/${var.environment}-account-modifiers-table-encryption-key"
+  target_key_id = aws_kms_key.account_modifiers_table_encryption_key.key_id
 }
 
 resource "aws_kms_key" "user_credentials_table_encryption_key" {
@@ -579,21 +543,12 @@ resource "aws_kms_key" "user_credentials_table_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "user_credentials_table_encryption_key_alias" {
+  name          = "alias/${var.environment}-user-credentials-table-encryption-key"
+  target_key_id = aws_kms_key.user_credentials_table_encryption_key.key_id
 }
 
 resource "aws_kms_key" "common_passwords_table_encryption_key" {
@@ -602,21 +557,12 @@ resource "aws_kms_key" "common_passwords_table_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "common_passwords_table_encryption_key_alias" {
+  name          = "alias/${var.environment}-common-passwords-table-encryption-key"
+  target_key_id = aws_kms_key.common_passwords_table_encryption_key.key_id
 }
 
 resource "aws_kms_key" "doc_app_credential_table_encryption_key" {
@@ -628,6 +574,11 @@ resource "aws_kms_key" "doc_app_credential_table_encryption_key" {
   policy                   = data.aws_iam_policy_document.cross_account_doc_app_credential_table_encryption_key_policy.json
 }
 
+resource "aws_kms_alias" "doc_app_credential_table_encryption_key_alias" {
+  name          = "alias/${var.environment}-doc-app-credential-table-encryption-key"
+  target_key_id = aws_kms_key.doc_app_credential_table_encryption_key.key_id
+}
+
 data "aws_iam_policy_document" "cross_account_doc_app_credential_table_encryption_key_policy" {
   statement {
     sid    = "DefaultAccessPolicy"
@@ -726,6 +677,34 @@ data "aws_iam_policy_document" "cross_account_table_encryption_key_access_policy
       identifiers = [var.orchestration_account_id]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.environment != "production" && var.environment != "integration" && var.environment != "staging" ? ["1"] : []
+    content {
+      sid    = "Allow Auth access to dynamo table encryption key"
+      effect = "Allow"
+
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:CreateGrant",
+        "kms:DescribeKey",
+      ]
+      principals {
+        type = "AWS"
+        identifiers = [
+          format(
+            "arn:%s:iam::%s:root",
+            data.aws_partition.current.partition,
+            var.auth_new_account_id
+          )
+        ]
+      }
+      resources = ["*"]
+    }
+  }
 }
 
 resource "aws_kms_key" "user_profile_table_encryption_key" {
@@ -750,21 +729,12 @@ resource "aws_kms_key" "email_check_result_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
+}
+
+resource "aws_kms_alias" "email_check_result_encryption_key_alias" {
+  name          = "alias/${var.environment}-email-check-result-table-encryption-key"
+  target_key_id = aws_kms_key.email_check_result_encryption_key.key_id
 }
 
 resource "aws_kms_key" "pending_email_check_queue_encryption_key" {
@@ -803,23 +773,7 @@ resource "aws_kms_key" "authentication_attempt_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
 }
 
 resource "aws_kms_alias" "authentication_attempt_encryption_key_alias" {
@@ -833,23 +787,7 @@ resource "aws_kms_key" "auth_session_table_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
 }
 
 resource "aws_kms_alias" "auth_session_table_encryption_key_alias" {
@@ -864,30 +802,65 @@ resource "aws_kms_key" "id_reverification_state_table_encryption_key" {
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   enable_key_rotation      = true
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-policy-dynamodb",
-    Statement = [
-      {
-        Sid       = "Allow IAM to manage this key",
-        Effect    = "Allow",
-        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
-        Action = [
-          "kms:*"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-
+  policy                   = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
 }
 
 resource "aws_kms_alias" "id_reverification_state_table_encryption_key_alias" {
   name          = "alias/${var.environment}-id-reverification-state-table-encryption-key"
   target_key_id = aws_kms_key.id_reverification_state_table_encryption_key.key_id
 }
 
+## KMS Key policy to Allow access to the KMS key for the new authentication AWS account to access DynamoDB table
+
+
+data "aws_iam_policy_document" "auth_dynamo_table_encryption_key_access_policy" {
+  #checkov:skip=CKV_AWS_109:Root requires all kms:* actions access
+  #checkov:skip=CKV_AWS_111:Root requires all kms:* actions access
+  #checkov:skip=CKV_AWS_356:Policy cannot self-reference the kms key, so resources wildcard is required
+  statement {
+    sid    = "DefaultAccessPolicy"
+    effect = "Allow"
+
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.environment != "production" && var.environment != "integration" && var.environment != "staging" ? ["1"] : []
+    content {
+      sid    = "Allow Auth access to dynamo table encryption key"
+      effect = "Allow"
+
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:CreateGrant",
+        "kms:DescribeKey",
+      ]
+      principals {
+        type = "AWS"
+        identifiers = [
+          format(
+            "arn:%s:iam::%s:root",
+            data.aws_partition.current.partition,
+            var.auth_new_account_id
+          )
+        ]
+      }
+      resources = ["*"]
+    }
+  }
+}
+
 ## Frontend KMS key for signing JWT tokens
 resource "aws_kms_key" "authentication_encryption_key" {
   description              = "KMS encryption key for decrypting requests from Orchestration"
