search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 291 forks source link

Investigate the use of CMK keys on S3 #7870

Closed markgov closed 4 weeks ago

markgov commented 1 month ago

User Story

As a Modernisation platform user I want to be able to use CMK encryption keys on S3 So that we can better encypt cloud watch logs

Value / Purpose

Hi MP. I'm trying to encrypt a CloudWatch log group using the shared HMPPS general KMS key. However, it results in this error: ╷ │ Error: associating CloudWatch Logs Log Group (delius-jitbit-ecs) KMS key: operation error CloudWatch Logs: AssociateKmsKey, https response error StatusCode: 400, RequestID: 4eb4436d-83ec-49eb-a208-a0143b6fce0b, api error AccessDeniedException: The specified KMS key does not exist or is not allowed to be used with Arn 'arn:aws:logs:eu-west-2:**:log-group:delius-jitbit-ecs' │ │ with aws_cloudwatch_log_group.jitbit, │ on ecs.tf line 85, in resource "aws_cloudwatch_log_group" "jitbit": │ 85: resource "aws_cloudwatch_log_group" "jitbit" { │ ╵ Surprisingly I seem to be the first person in MP to try and encrypt a log group using a CMK. I think we may need an additional section in the key policy to allow for this, example: { "Effect": "Allow", "Principal": { "Service": "logs.REGION.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:Describe" ], "Resource": "*" } } Obviously replacing REGION with the actual region :smile: Please let me know your thoughts and if you can implement this.

Useful Contacts

Andrew Moore

Additional Information

https://github.com/hashicorp/terraform-provider-aws/issues/29282#issuecomment-2017920706 https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#cmk-permissions

Definition of Done

Khatraf commented 1 month ago

Adding this policy below to restricts the key to a single log group ARN fails with error (An error occurred (AccessDeniedException) when calling the AssociateKmsKey operation: The specified KMS key does not exist or is not allowed to be used with Arn 'arn:aws:logs:eu-west-2:accountID:log-group:log-group-name'):

"Effect": "Allow", "Principal": { "Service": "logs.region.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:Describe" ], "Resource": "", "Condition": { "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:log-group:log-group-name" } } }

Khatraf commented 1 month ago

It works when I change the condition to:

"Condition": { "ArnLike": { "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:*" } which limits the use of the AWS KMS key to the specified account, making it more restrictive than giving broad access to all CloudWatch logs in eu-west-2 to use the KMS key.

Khatraf commented 4 weeks ago

I have updated the KMS key policy to allow the CloudWatch Logs service to use the shared KMS key for encrypting and decrypting log data which ensures that logs are securely encrypted at rest. The updated key policy and changes are included in this PR.

richgreen-moj commented 4 weeks ago

Reviewed ticket, happy that the required permissions changes have been made to enable the users request. 👍