NRL-1582 Update KMS policy with backup perms

sandyforresternhs · sandyforresternhs · commit 6e81c8b83849 · 2025-11-06T17:15:31.000Z
diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/test/aws-backup.tf b/terraform/account-wide-infrastructure/test/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
