From 71f1f612ccdf363fcfebdc61ecc408d720503fa2 Mon Sep 17 00:00:00 2001
From: mynampatinaveen <mynampatinaveen@users.noreply.github.com>
Date: Mon, 9 Sep 2024 15:22:48 +0100
Subject: [PATCH] Update kms.tf

---
 modules/products/static-site/kms.tf | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/modules/products/static-site/kms.tf b/modules/products/static-site/kms.tf
index baa6d46..1b991b3 100644
--- a/modules/products/static-site/kms.tf
+++ b/modules/products/static-site/kms.tf
@@ -4,19 +4,28 @@ resource "aws_kms_key" "static_site_kms" {
 }
 
 resource "aws_kms_key_policy" "static_site_kms_policy" {
-  key_id = aws_kms_key.static_site_kms.id
   policy = jsonencode({
     Version = "2012-10-17"
     Id      = "static_site_kms_policy"
     Statement = [
       {
-        Sid    = "EnableIAMUserPermissions"
-        Action = "kms:*"
+        Sid = "CloudFrontServiceKmsPolicy"
+        Action = [
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:GenerateDataKey*"
+        ]
         Effect = "Allow"
         Principal = {
-          AWS = "arn:aws:iam::${local.account_id}:root"
+          type        = "Service"
+          identifiers = ["cloudfront.amazonaws.com"]
         }
         Resource = ["*"]
+        condition = {
+          test     = "StringEquals"
+          variable = "aws:SourceArn"
+          values   = [aws_cloudfront_distribution.static_site_distribution.arn]
+        }
       },
     ]  
    })