NHSDigital · alexnuttall · Jun 30, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 25, 2025
@@ -85,4 +85,33 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
 }
@@ -106,4 +106,37 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values = [
+        "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-validate-letter-template-files-queue"
+      ]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values = [
+        "arn:aws:events:${var.region}:${var.aws_account_id}:rule/${local.csi}-api-quarantine-scan-passed-for-upload"
+      ]
+    }
+  }
 }
@@ -16,7 +16,6 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
-| <a name="input_enable_guardduty"></a> [enable\_guardduty](#input\_enable\_guardduty) | Enable GuardDuty | `bool` | `true` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,5 +21,4 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_proof.arn
 }
@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -19,19 +19,16 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_set_file_virus_scan_status_for_upload.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_copy_object_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_copy_scanned_object_to_internal.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_validate_files" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
   arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
 }
@@ -1,5 +1,7 @@
 resource "aws_guardduty_malware_protection_plan" "quarantine" {
-  count = var.enable_guardduty ? 1 : 0
+  depends_on = [
+    aws_iam_role_policy_attachment.guardduty_quarantine
+  ]
 
   role = aws_iam_role.guardduty_quarantine.arn
 

@@ -59,8 +59,4 @@ locals {
   ][0], "")
 
   sftp_environment = "${var.group}-${var.environment}-${var.component}"
-
-  guardduty_source = var.enable_guardduty ? "aws.guardduty" : "test.guardduty"
-
-  guardduty_resource = var.enable_guardduty ? aws_guardduty_malware_protection_plan.quarantine[0].arn : "test:guardduty"
 }
@@ -92,3 +92,11 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
     ]
   }
 }
+
+resource "aws_lambda_permission" "allow_eventbridge_copy_upload" {
+  statement_id  = "AllowFromEventBridgeCopyUpload"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_copy_scanned_object_to_internal.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.arn
+}
@@ -64,3 +64,19 @@ data "aws_iam_policy_document" "delete_failed_scanned_object" {
     ]
   }
 }
+
+resource "aws_lambda_permission" "allow_eventbridge_delete_upload" {
+  statement_id  = "AllowFromEventBridgeDeleteUpload"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_delete_failed_scanned_object.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.arn
+}
+
+resource "aws_lambda_permission" "allow_eventbridge_delete_proof" {
+  statement_id  = "AllowFromEventBridgeDeleteProof"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_delete_failed_scanned_object.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.arn
+}
@@ -123,3 +123,19 @@ data "aws_iam_policy_document" "process_proof" {
     resources = ["${module.s3bucket_download.arn}/*"]
   }
 }
+
+resource "aws_lambda_permission" "allow_eventbridge_process_passed_proof" {
+  statement_id  = "AllowFromEventBridgeProcessPassedProof"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_process_proof.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_proof.arn
+}
+
+resource "aws_lambda_permission" "allow_eventbridge_process_failed_proof" {
+  statement_id  = "AllowFromEventBridgeProcessFailedProof"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_process_proof.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.arn
+}