Update kms.tf

UKHomeOffice · Sep 9, 2024 · 71f1f61 · 71f1f61
1 parent 00ae36d
commit 71f1f61
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/modules/products/static-site/kms.tf b/modules/products/static-site/kms.tf
@@ -4,19 +4,28 @@ resource "aws_kms_key" "static_site_kms" {
 }
 
 resource "aws_kms_key_policy" "static_site_kms_policy" {
-  key_id = aws_kms_key.static_site_kms.id
   policy = jsonencode({
     Version = "2012-10-17"
     Id      = "static_site_kms_policy"
     Statement = [
       {
-        Sid    = "EnableIAMUserPermissions"
-        Action = "kms:*"
+        Sid = "CloudFrontServiceKmsPolicy"
+        Action = [
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:GenerateDataKey*"
+        ]
         Effect = "Allow"
         Principal = {
-          AWS = "arn:aws:iam::${local.account_id}:root"
+          type        = "Service"
+          identifiers = ["cloudfront.amazonaws.com"]
         }
         Resource = ["*"]
+        condition = {
+          test     = "StringEquals"
+          variable = "aws:SourceArn"
+          values   = [aws_cloudfront_distribution.static_site_distribution.arn]
+        }
       },
     ]  
    })