key policy changes

alexnuttall · alexnuttall · commit 1889c41faae5 · 2025-06-30T10:55:49.000+01:00
diff --git a/infrastructure/terraform/components/acct/module_sandbox_kms.tf b/infrastructure/terraform/components/acct/module_sandbox_kms.tf
@@ -103,9 +103,15 @@ data "aws_iam_policy_document" "kms" {
     resources = ["*"]
 
     condition {
-      test     = "StringEquals"
+      test     = "ArnLike"
       variable = "kms:EncryptionContext:aws:sqs:arn"
       values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
     }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
   }
 }
diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf
@@ -124,16 +124,18 @@ data "aws_iam_policy_document" "kms" {
     resources = ["*"]
 
     condition {
-      test     = "StringEquals"
-      variable = "kms:ViaService"
-      values   = ["sqs.${var.region}.amazonaws.com"]
+      test     = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values = [
+        module.backend_api.letter_file_validation_queue_arn
+      ]
     }
 
     condition {
-      test     = "StringEquals"
-      variable = "kms:EncryptionContext:aws:sqs:arn"
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
       values = [
-        module.sqs_validate_letter_template_files.sqs_queue_arn
+        module.backend_api.upload_scan_passed_rule_arn
       ]
     }
   }
diff --git a/infrastructure/terraform/modules/backend-api/outputs.tf b/infrastructure/terraform/modules/backend-api/outputs.tf
@@ -38,3 +38,11 @@ output "quarantine_bucket_name" {
   value = module.s3bucket_quarantine.id
 }
 
+output "upload_scan_passed_rule_arn" {
+  value = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.arn
+}
+
+output "letter_file_validation_queue_arn" {
+  value = module.sqs_validate_letter_template_files.sqs_queue_arn
+}
+

Original file line number	Diff line number	Diff line change
`@@ -103,9 +103,15 @@ data "aws_iam_policy_document" "kms" {`
`103`	`103`	`resources = ["*"]`
`104`	`104`
`105`	`105`	`condition {`
`106`		`- test = "StringEquals"`
	`106`	`+ test = "ArnLike"`
`107`	`107`	`variable = "kms:EncryptionContext:aws:sqs:arn"`
`108`	`108`	`values = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]`
`109`	`109`	`}`
	`110`	`+`
	`111`	`+ condition {`
	`112`	`+ test = "ArnLike"`
	`113`	`+ variable = "aws:SourceArn"`
	`114`	`+ values = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]`
	`115`	`+ }`
`110`	`116`	`}`
`111`	`117`	`}`
Original file line number	Diff line number	Diff line change
`@@ -124,16 +124,18 @@ data "aws_iam_policy_document" "kms" {`
`124`	`124`	`resources = ["*"]`
`125`	`125`
`126`	`126`	`condition {`
`127`		`- test = "StringEquals"`
`128`		`- variable = "kms:ViaService"`
`129`		`- values = ["sqs.${var.region}.amazonaws.com"]`
	`127`	`+ test = "ArnEquals"`
	`128`	`+ variable = "kms:EncryptionContext:aws:sqs:arn"`
	`129`	`+ values = [`
	`130`	`+ module.backend_api.letter_file_validation_queue_arn`
	`131`	`+ ]`
`130`	`132`	`}`
`131`	`133`
`132`	`134`	`condition {`
`133`		`- test = "StringEquals"`
`134`		`- variable = "kms:EncryptionContext:aws:sqs:arn"`
	`135`	`+ test = "ArnEquals"`
	`136`	`+ variable = "aws:SourceArn"`
`135`	`137`	`values = [`
`136`		`- module.sqs_validate_letter_template_files.sqs_queue_arn`
	`138`	`+ module.backend_api.upload_scan_passed_rule_arn`
`137`	`139`	`]`
`138`	`140`	`}`
`139`	`141`	`}`