By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

KMS policy for cross account cloudtrail

0

Hi,

i have cloudtrail enabled for the organization in the root account. An s3 bucket in a security account (with kms enabled). All logs from all accounts are hitting the bucket!

I know need to enable KMS for cloudtrail, im trying to follow the below guide in terraform:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html

Using the below code:

resource "aws_kms_key" "cloudtrail" {
  description             = "KMS for cloudtrail"
  deletion_window_in_days = 7
  is_enabled              = true
  enable_key_rotation     = true
  policy                  = <<POLICY
{
  "Sid": "Enable CloudTrail Encrypt Permissions",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "kms:GenerateDataKey*",
  "Resource": "${aws_kms_key.cloudtrail.arn}", # THIS IS THE LINE THAT FAILS!
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": [
        "arn:aws:cloudtrail:*:xxx:trail/*",
        "arn:aws:cloudtrail:*:xx:trail/*",
      ]
    },
    "StringEquals": {
        "aws:SourceArn": "arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail"
    }
  }
}
POLICY
}

But getting an error that the

Error: Self-referential block
│ 
│   on kms-cloudtrail.tf line 16, in resource "aws_kms_key" "cloudtrail":
│   16:   "Resource": "${aws_kms_key.cloudtrail.arn}",
│ 
│ Configuration for aws_kms_key.cloudtrail may not refer to itself.

Im guessing i get the error because the KMS doesnt exist yet so it cant reference it? So is the document wrong? or am miss understanding something regarding it?

Any help would be great!

  • emned
    2 years ago

    Could you try the following in your code: "Resource": "*" Keep in mind (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) Note Do not set the Principal to an asterisk (*) in any key policy statement that allows permissions unless you use conditions to limit the key policy. An asterisk gives every identity in every AWS account permission to use the KMS key, unless another policy statement explicitly denies it. Users in other AWS accounts just need corresponding IAM permissions in their own accounts to use the KMS key.

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS CloudTrailSecurity
Language
English
rePost-User-1319306
asked 2 years ago1515 views
3 Answers
1

Merged the 2 options together with updating the resource as well. for our specific case, it still failed until i added the standed role for admin on it and then access to all the s3 buckets as well.

Thanks for the help!

rePost-User-1319306
answered 2 years ago
0

Hello, I agree that it is probably because because KMS does not exist. Problem here is within terraform, because when i did a proper configuration I get the following error: Error: Cycle: aws_kms_key.cloudtrail, data.aws_iam_policy_document.kmspolicy It gets a Cycle error as the resources are referencing each-other.

So what I suggest you do is that if you want these resources reference each-other (policy and kms resource), you need to create them separately. If you want to do it in an automated way you can create the KMS resource in one module then reference it in another. The policy can not be deployed as it needs a resource to reference.

There is nothing wrong with the AWS documentation, however, in this case is it not as easy when dealing with IaC tools like terraform.

Here is what i tried to deploy when getting the Cycle Error:

resource "aws_kms_key" "cloudtrail" {
  description             = "KMS for cloudtrail"
  deletion_window_in_days = 7
  is_enabled              = true
  enable_key_rotation     = true
  policy                  = data.aws_iam_policy_document.kmspolicy.json
}

data "aws_iam_policy_document" "kmspolicy" {
  statement {
    sid    = "Enable CloudTrail Encrypt Permissions"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = "cloudtrail.amazonaws.com"
    }
    actions   = ["kms:GenerateDataKey*"]
    resources = ["${aws_kms_key.cloudtrail.arn}"]
    condition {
      test = "StringEquals"
      variable = "aws:SourceArn"
      vaclues   = ["arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail"]
    }
  }
}
AWS
emned
answered 2 years ago
  • rePost-User-1319306
    2 years ago

    Hey, im getting the cycle error with this

    │ Error: Cycle: data.aws_iam_policy_document.cloudtrailkms, aws_kms_key.cloudtrail
0

Hello,

Try setting the following on the line that fails: "Resource": "*"

Since this is (presumably) a KMS key policy and refers only to the key that the policy is associated with, it is standard practice to use a wildcard for the resource field. You can see here that the CloudTrail documentation uses a wildcard in their KMS key policy too: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html#create-kms-key-policy-for-cloudtrail-encrypt

You'll also want to update the policy resource statement to be a "aws_kms_key_policy" resource as per this documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy

AWS
Kosol
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content