Limit access to KMS for Wiz

jdno · jdno · commit 74255a0317fa · 2023-08-04T09:01:42.000+02:00
While we are not yet using KMS for any sensitive workloads, we are concerned that we might leak secrets with the current permissions if we ever start to use it. See #336 for a discussion of these concerns.
diff --git a/terragrunt/modules/wiz/main.tf b/terragrunt/modules/wiz/main.tf
@@ -121,8 +121,6 @@ resource "aws_iam_role_policy" "tf-policy" {
         "Action" : [
           "ec2:CopySnapshot",
           "ec2:CreateSnapshot",
-          "kms:CreateKey",
-          "kms:DescribeKey",
           "ec2:GetEbsEncryptionByDefault",
           "ec2:DescribeSnapshots"
         ],
@@ -144,19 +142,6 @@ resource "aws_iam_role_policy" "tf-policy" {
           "arn:aws:kms:*:*:key/*"
         ]
       },
-      {
-        "Action" : [
-          "kms:CreateGrant",
-          "kms:ReEncryptFrom"
-        ],
-        "Condition" : {
-          "StringLike" : {
-            "kms:ViaService" : "ec2.*.amazonaws.com"
-          }
-        },
-        "Effect" : "Allow",
-        "Resource" : "*"
-      },
       {
         "Action" : [
           "kms:GetKeyPolicy",
