data "aws_caller_identity" "current" {} data "aws_iam_role" "kms_admin_role" { for_each = toset(var.kms_admin_roles) name = each.value } data "aws_iam_role" "kms_usage_role" { for_each = toset(var.kms_usage_roles) name = each.value } data "aws_iam_policy_document" "admin_kms_policy" { # checkov:skip=CKV_AWS_109: Not applicable # checkov:skip=CKV_AWS_111: Not applicable statement { sid = "Enable Owner account Root to have full access to the key" principals { type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } actions = [ "kms:*", ] resources = ["*"] } statement { sid = "Allow access for Key Administrators" principals { type = "AWS" identifiers = local.kms_admin_roles } actions = [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ] resources = ["*"] } statement { sid = "Allow granting of the key to Key Administrators" principals { type = "AWS" identifiers = local.kms_admin_roles } actions = [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ] resources = ["*"] condition { test = "Bool" variable = "kms:GrantIsForAWSResource" values = [true] } } dynamic "statement" { for_each = local.enable_cross_account_access content { sid = "Allow use of the key to the cross-account owners" principals { type = "AWS" identifiers = local.kms_cross_account_roots } actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ] resources = ["*"] } } dynamic "statement" { for_each = local.enable_cross_account_access content { sid = "Allow granting of the key to the cross-account owners" principals { type = "AWS" identifiers = local.kms_cross_account_roots } actions = [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ] resources = ["*"] condition { test = "Bool" variable = "kms:GrantIsForAWSResource" values = [true] } } } }