resource "aws_kms_key" "ctbucket-key" { deletion_window_in_days = 7 tags = var.default-tags policy = data.aws_iam_policy_document.key-policy.json enable_key_rotation = true } resource "aws_kms_alias" ctbucket-key-aliaas { name = "alias/${var.resource-prefix}-kmskey-default" target_key_id = aws_kms_key.ctbucket-key.key_id } # https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22 data "aws_iam_policy_document" "key-policy" { statement { sid = "Key usage by aws services" principals { identifiers = [ "autoscaling.amazonaws.com", "cloudtrail.amazonaws.com", "eks.amazonaws.com", "eks-nodegroup.amazonaws.com", "guardduty.amazonaws.com", "delivery.logs.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com", "lambda.amazonaws.com", "backup.amazonaws.com", "events.amazonaws.com", "cloudwatch.amazonaws.com", "s3.amazonaws.com", "logs.amazonaws.com" ] type = "Service" } actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ] resources = [ "*" ] effect = "Allow" } statement { sid = "Key administrator" actions = [ "kms:*" ] resources = [ "*" ] principals { type = "AWS" identifiers = [data.aws_caller_identity.this.account_id] } effect = "Allow" } }