| 123456789101112131415161718192021222324252627282930313233 |
- data "aws_iam_policy_document" "iam_admin_kms" {
- statement {
- sid = "AllowKMSthings"
- effect = "Allow"
- actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- "kms:Create*",
- "kms:Describe*",
- "kms:Enable*",
- "kms:List*",
- "kms:Put*",
- "kms:Update*",
- "kms:Revoke*",
- "kms:Disable*",
- "kms:Get*",
- "kms:Delete*",
- "kms:TagResource",
- "kms:UntagResource",
- "kms:ScheduleKeyDeletion",
- "kms:CancelKeyDeletion"
- ]
- #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- resources = ["*"]
- }
- }
- resource "aws_iam_policy" "iam_admin_kms" {
- name = "iam_admin_kms"
- path = "/user/"
- description = "KMS access for IAM admins"
- policy = data.aws_iam_policy_document.iam_admin_kms.json
- }
|
