By using AWS re:Post, you agree to the Terms of Use
/KMS policy for cross account cloudtrail/

KMS policy for cross account cloudtrail

0

Hi,

i have cloudtrail enabled for the organization in the root account. An s3 bucket in a security account (with kms enabled). All logs from all accounts are hitting the bucket!

I know need to enable KMS for cloudtrail, im trying to follow the below guide in terraform:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html

Using the below code:

resource "aws_kms_key" "cloudtrail" {
  description             = "KMS for cloudtrail"
  deletion_window_in_days = 7
  is_enabled              = true
  enable_key_rotation     = true
  policy                  = <<POLICY
{
  "Sid": "Enable CloudTrail Encrypt Permissions",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "kms:GenerateDataKey*",
  "Resource": "${aws_kms_key.cloudtrail.arn}", # THIS IS THE LINE THAT FAILS!
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": [
        "arn:aws:cloudtrail:*:xxx:trail/*",
        "arn:aws:cloudtrail:*:xx:trail/*",
      ]
    },
    "StringEquals": {
        "aws:SourceArn": "arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail"
    }
  }
}
POLICY
}

But getting an error that the

Error: Self-referential block
│ 
│   on kms-cloudtrail.tf line 16, in resource "aws_kms_key" "cloudtrail":
│   16:   "Resource": "${aws_kms_key.cloudtrail.arn}",
│ 
│ Configuration for aws_kms_key.cloudtrail may not refer to itself.

Im guessing i get the error because the KMS doesnt exist yet so it cant reference it? So is the document wrong? or am miss understanding something regarding it?

Any help would be great!

  • Could you try the following in your code: "Resource": "*" Keep in mind (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) Note Do not set the Principal to an asterisk (*) in any key policy statement that allows permissions unless you use conditions to limit the key policy. An asterisk gives every identity in every AWS account permission to use the KMS key, unless another policy statement explicitly denies it. Users in other AWS accounts just need corresponding IAM permissions in their own accounts to use the KMS key.

2 Answers
1

Merged the 2 options together with updating the resource as well. for our specific case, it still failed until i added the standed role for admin on it and then access to all the s3 buckets as well.

Thanks for the help!

answered a month ago
0

Hello, I agree that it is probably because because KMS does not exist. Problem here is within terraform, because when i did a proper configuration I get the following error: Error: Cycle: aws_kms_key.cloudtrail, data.aws_iam_policy_document.kmspolicy It gets a Cycle error as the resources are referencing each-other.

So what I suggest you do is that if you want these resources reference each-other (policy and kms resource), you need to create them separately. If you want to do it in an automated way you can create the KMS resource in one module then reference it in another. The policy can not be deployed as it needs a resource to reference.

There is nothing wrong with the AWS documentation, however, in this case is it not as easy when dealing with IaC tools like terraform.

Here is what i tried to deploy when getting the Cycle Error:

resource "aws_kms_key" "cloudtrail" {
  description             = "KMS for cloudtrail"
  deletion_window_in_days = 7
  is_enabled              = true
  enable_key_rotation     = true
  policy                  = data.aws_iam_policy_document.kmspolicy.json
}

data "aws_iam_policy_document" "kmspolicy" {
  statement {
    sid    = "Enable CloudTrail Encrypt Permissions"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = "cloudtrail.amazonaws.com"
    }
    actions   = ["kms:GenerateDataKey*"]
    resources = ["${aws_kms_key.cloudtrail.arn}"]
    condition {
      test = "StringEquals"
      variable = "aws:SourceArn"
      vaclues   = ["arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail"]
    }
  }
}
answered a month ago
  • Hey, im getting the cycle error with this

    │ Error: Cycle: data.aws_iam_policy_document.cloudtrailkms, aws_kms_key.cloudtrail
    

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions