Skip to content

Instantly share code, notes, and snippets.

@anmolnagpal

anmolnagpal/contoltower-kms-policy.json

Created June 3, 2024 10:05
Show Gist options
  • Save anmolnagpal/ce973805bcefe64baef74ef2e202fdf5 to your computer and use it in GitHub Desktop.
Save anmolnagpal/ce973805bcefe64baef74ef2e202fdf5 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. anmolnagpal created this gist Jun 3, 2024.
    104 changes: 104 additions & 0 deletions contoltower-kms-policy.json
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,104 @@
    {
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
    {
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<account_no>:root"
    },
    "Action": "kms:*",
    "Resource": "*"
    },
    {
    "Sid": "Allow access for Key Administrators",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<account_no>:user/ControlTower"
    },
    "Action": [
    "kms:Create*",
    "kms:Describe*",
    "kms:Enable*",
    "kms:List*",
    "kms:Put*",
    "kms:Update*",
    "kms:Revoke*",
    "kms:Disable*",
    "kms:Get*",
    "kms:Delete*",
    "kms:TagResource",
    "kms:UntagResource",
    "kms:ScheduleKeyDeletion",
    "kms:CancelKeyDeletion"
    ],
    "Resource": "*"
    },
    {
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<account_no>:user/ControlTower"
    },
    "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
    ],
    "Resource": "*"
    },
    {
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<account_no>:user/ControlTower"
    },
    "Action": [
    "kms:CreateGrant",
    "kms:ListGrants",
    "kms:RevokeGrant"
    ],
    "Resource": "*",
    "Condition": {
    "Bool": {
    "kms:GrantIsForAWSResource": "true"
    }
    }
    },
    {
    "Sid": "Allow Config to use KMS for encryption",
    "Effect": "Allow",
    "Principal": {
    "Service": "config.amazonaws.com"
    },
    "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey"
    ],
    "Resource": "arn:aws:kms:us-west-2:<account_no>:key/<key>"
    },
    {
    "Sid": "Allow CloudTrail to use KMS for encryption",
    "Effect": "Allow",
    "Principal": {
    "Service": "cloudtrail.amazonaws.com"
    },
    "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:us-west-2:<account_no>:key/<key>",
    "Condition": {
    "StringEquals": {
    "aws:SourceArn": "arn:aws:cloudtrail:us-west-2:account_no:trail/aws-controltower-BaselineCloudTrail"
    },
    "StringLike": {
    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<account_no>:trail/*"
    }
    }
    }
    ]
    }