File tree 2 files changed +9
-42
lines changed
modules/cloudtrail-baseline
2 files changed +9
-42
lines changed Load Diff This file was deleted.
Original file line number Diff line number Diff line change @@ -67,7 +67,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
6767 policy_id = " Key policy created by CloudTrail"
6868
6969 statement {
70- sid = " Enable IAM User Permissions "
70+ sid = " Enable IAM user permissions "
7171
7272 principals {
7373 type = " AWS"
@@ -87,6 +87,11 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
8787 }
8888 actions = " kms:GenerateDataKey*"
8989 resources = " *"
90+ condition {
91+ test = " StringEquals"
92+ variable = " aws:SourceArn"
93+ values = " arn:aws:cloudtrail:*:${ var . aws_account_id } :trail/${ var . cloudtrail_name } "
94+ }
9095 condition {
9196 test = " StringLike"
9297 variable = " kms:EncryptionContext:aws:cloudtrail:arn"
@@ -166,7 +171,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
166171 condition {
167172 test = " StringLike"
168173 variable = " kms:EncryptionContext:aws:cloudtrail:arn"
169- values = " arn:aws:cloudtrail:*:$$ {var.aws_account_id}:trail/*"
174+ values = " arn:aws:cloudtrail:*:${ var . aws_account_id } :trail/*"
170175 }
171176 }
172177
@@ -179,9 +184,9 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
179184 actions = " kms:Decrypt"
180185 resources = " *"
181186 condition {
182- test = " StringEquals "
187+ test = " StringLike "
183188 variable = " kms:EncryptionContext:aws:cloudtrail:arn"
184- values = aws_cloudtrail . global . arn ]
189+ values = " arn:aws:cloudtrail:*: ${ var . aws_account_id } :trail/* "
185190 }
186191 condition {
187192 test = " StringEquals"
You can’t perform that action at this time.
0 commit comments