Missing CMS KMS policy

[LorneCurrie]

When you use a CMS KMS key to encrypt the report data, the CTRTrigger lambda does not run as it does not have permission to decrypt the data from the Kinesis stream.

Could you add the Cloudformation scripts to add the relevant permissions to the CMS KMS key if one is used, or provide the template that should be manually inserted to the CMS KMS Key policy with the accompanying documentation?

Roles that are affected:

• sfLambdaBasicExec
• sfLambdaBasicExecWithS3Read
• sfCTRTriggerRole

Lambda affected:

• sfCTRTrigger
• sfIntervalAgent - Data stored in S3 will be encrypted
• sfIntervalQueue - Data stored in S3 will be encrypted

[rectalogic]

If you use the ARN of the AWS managed CMK key aws/credentialsmanager then this is not necessary (and encrypt your secrets with that key). The solutions KMSManagedPolicy will work with an AWS managed CMK but not with a customer managed CMK