| 12345678910111213141516171819202122232425262728293031323334 |
- data "aws_iam_policy_document" "iam_admin_kms" {
- # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
- # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
- # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- statement {
- sid = "AllowKMSthings"
- effect = "Allow"
- actions = [
- "kms:Create*",
- "kms:Describe*",
- "kms:Enable*",
- "kms:List*",
- "kms:Put*",
- "kms:Update*",
- "kms:Revoke*",
- "kms:Disable*",
- "kms:Get*",
- "kms:Delete*",
- "kms:TagResource",
- "kms:UntagResource",
- "kms:ScheduleKeyDeletion",
- "kms:CancelKeyDeletion"
- ]
- resources = ["*"]
- }
- }
- resource "aws_iam_policy" "iam_admin_kms" {
- name = "iam_admin_kms"
- path = "/user/"
- description = "KMS access for IAM admins"
- policy = data.aws_iam_policy_document.iam_admin_kms.json
- }
|
