Skip to content

AUT-4213: Auth AWS account permission on KMS key #6407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 8, 2025
Merged

AUT-4213: Auth AWS account permission on KMS key #6407

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
aed51f8
AUT-4213: Give New Auth AWS account permission on KMS key attached to…
pskushwaha1 Apr 25, 2025
0ef52e9
AUT-4213: refactored to remove duplicate policy statement
pskushwaha1 Apr 25, 2025
813695d
AUT-4213: Renamed policy statement Sids
pskushwaha1 Apr 25, 2025
c568f73
Auth-4213: Fixing conflicts
pskushwaha1 May 2, 2025
da9b155
Merge branch 'main' into AUT-4213-update-dynamodb-table-kms-key-policy
pskushwaha1 May 2, 2025
2f507c0
AUT-4213: Removed Auth access from doc app kms key
pskushwaha1 May 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
285 changes: 129 additions & 156 deletions ci/terraform/shared/kms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,21 +473,12 @@ resource "aws_kms_key" "auth_code_store_signing_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "auth_code_store_signing_key_alias" {
name = "alias/${var.environment}-auth-code-store-table-encryption-key"
target_key_id = aws_kms_key.auth_code_store_signing_key.key_id
}

# Authorization Token endpoint Signing KMS key
Expand All @@ -510,21 +501,12 @@ resource "aws_kms_key" "access_token_store_signing_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "access_token_store_signing_key_alias" {
name = "alias/${var.environment}-access-token-store-table-encryption-key"
target_key_id = aws_kms_key.access_token_store_signing_key.key_id
}

resource "aws_kms_key" "bulk_email_users_encryption_key" {
Expand All @@ -533,21 +515,12 @@ resource "aws_kms_key" "bulk_email_users_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "bulk_email_users_encryption_key_alias" {
name = "alias/${var.environment}-bulk-email-users-table-encryption-key"
target_key_id = aws_kms_key.bulk_email_users_encryption_key.key_id
}

resource "aws_kms_key" "account_modifiers_table_encryption_key" {
Expand All @@ -556,21 +529,12 @@ resource "aws_kms_key" "account_modifiers_table_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "account_modifiers_table_encryption_key_alias" {
name = "alias/${var.environment}-account-modifiers-table-encryption-key"
target_key_id = aws_kms_key.account_modifiers_table_encryption_key.key_id
}

resource "aws_kms_key" "user_credentials_table_encryption_key" {
Expand All @@ -579,21 +543,12 @@ resource "aws_kms_key" "user_credentials_table_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "user_credentials_table_encryption_key_alias" {
name = "alias/${var.environment}-user-credentials-table-encryption-key"
target_key_id = aws_kms_key.user_credentials_table_encryption_key.key_id
}

resource "aws_kms_key" "common_passwords_table_encryption_key" {
Expand All @@ -602,21 +557,12 @@ resource "aws_kms_key" "common_passwords_table_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "common_passwords_table_encryption_key_alias" {
name = "alias/${var.environment}-common-passwords-table-encryption-key"
target_key_id = aws_kms_key.common_passwords_table_encryption_key.key_id
}

resource "aws_kms_key" "doc_app_credential_table_encryption_key" {
Expand All @@ -628,6 +574,11 @@ resource "aws_kms_key" "doc_app_credential_table_encryption_key" {
policy = data.aws_iam_policy_document.cross_account_doc_app_credential_table_encryption_key_policy.json
}

resource "aws_kms_alias" "doc_app_credential_table_encryption_key_alias" {
name = "alias/${var.environment}-doc-app-credential-table-encryption-key"
target_key_id = aws_kms_key.doc_app_credential_table_encryption_key.key_id
}

data "aws_iam_policy_document" "cross_account_doc_app_credential_table_encryption_key_policy" {
statement {
sid = "DefaultAccessPolicy"
Expand Down Expand Up @@ -726,6 +677,34 @@ data "aws_iam_policy_document" "cross_account_table_encryption_key_access_policy
identifiers = [var.orchestration_account_id]
}
}

dynamic "statement" {
for_each = var.environment != "production" && var.environment != "integration" && var.environment != "staging" ? ["1"] : []
content {
sid = "Allow Auth access to dynamo table encryption key"
effect = "Allow"

actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey",
]
principals {
type = "AWS"
identifiers = [
format(
"arn:%s:iam::%s:root",
data.aws_partition.current.partition,
var.auth_new_account_id
)
]
}
resources = ["*"]
}
}
}

resource "aws_kms_key" "user_profile_table_encryption_key" {
Expand All @@ -750,21 +729,12 @@ resource "aws_kms_key" "email_check_result_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})
policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "email_check_result_encryption_key_alias" {
name = "alias/${var.environment}-email-check-result-table-encryption-key"
target_key_id = aws_kms_key.email_check_result_encryption_key.key_id
}

resource "aws_kms_key" "pending_email_check_queue_encryption_key" {
Expand Down Expand Up @@ -803,23 +773,7 @@ resource "aws_kms_key" "authentication_attempt_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true

policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})

policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "authentication_attempt_encryption_key_alias" {
Expand All @@ -833,23 +787,7 @@ resource "aws_kms_key" "auth_session_table_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true

policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})

policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "auth_session_table_encryption_key_alias" {
Expand All @@ -864,30 +802,65 @@ resource "aws_kms_key" "id_reverification_state_table_encryption_key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true

policy = jsonencode({
Version = "2012-10-17"
Id = "key-policy-dynamodb",
Statement = [
{
Sid = "Allow IAM to manage this key",
Effect = "Allow",
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = [
"kms:*"
],
Resource = "*"
}
]
})

policy = data.aws_iam_policy_document.auth_dynamo_table_encryption_key_access_policy.json
}

resource "aws_kms_alias" "id_reverification_state_table_encryption_key_alias" {
name = "alias/${var.environment}-id-reverification-state-table-encryption-key"
target_key_id = aws_kms_key.id_reverification_state_table_encryption_key.key_id
}

## KMS Key policy to Allow access to the KMS key for the new authentication AWS account to access DynamoDB table


data "aws_iam_policy_document" "auth_dynamo_table_encryption_key_access_policy" {
#checkov:skip=CKV_AWS_109:Root requires all kms:* actions access
#checkov:skip=CKV_AWS_111:Root requires all kms:* actions access
#checkov:skip=CKV_AWS_356:Policy cannot self-reference the kms key, so resources wildcard is required
statement {
sid = "DefaultAccessPolicy"
effect = "Allow"

actions = [
"kms:*"
]
resources = ["*"]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}

dynamic "statement" {
for_each = var.environment != "production" && var.environment != "integration" && var.environment != "staging" ? ["1"] : []
content {
sid = "Allow Auth access to dynamo table encryption key"
effect = "Allow"

actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey",
]
principals {
type = "AWS"
identifiers = [
format(
"arn:%s:iam::%s:root",
data.aws_partition.current.partition,
var.auth_new_account_id
)
]
}
resources = ["*"]
}
}
}

## Frontend KMS key for signing JWT tokens
resource "aws_kms_key" "authentication_encryption_key" {
description = "KMS encryption key for decrypting requests from Orchestration"
Expand Down
Loading