Issues using the CloudTrail module with a connect SNS topic.

[rsmets]

Upon trying to connect the SNS networking module with the security CloudTrail module I met with the error:

Error: updating CloudTrail Trail (main-all-regions-trail): InsufficientSnsTopicPolicyException: The customer-managed key (CMK) associated with this SNS topic either does not exist or does not allow access to CloudTrail. Edit the key policy to allow access to CloudTrail.

It is worth noting that I am using a CMK KMS key, which is created along side the other module listed above via the KMS master key module. My value for the SNS module's allow_published_services is:

  allow_publish_services = [
    "events.amazonaws.com",
    "cloudwatch.amazonaws.com",
    "cloudtrail.amazonaws.com"
  ]

As well as the KMS key has the following policy:

module "kms_master_key" {
  source = "git::[email protected]:gruntwork-io/terraform-aws-security.git//modules/kms-master-key?ref=v0.67.5"

  customer_master_keys = {
    (var.cloudtrail_trail_name) = {
      deletion_window_in_days    = 7
      cmk_administrator_iam_arns = var.kms_key_administrator_iam_arns
      cmk_user_iam_arns          = var.kms_key_user_iam_arns
      cmk_service_principals = [
        {
          name    = "cloudtrail.amazonaws.com"
          actions = ["kms:GenerateDataKey*", "kms:Decrypt"]
          conditions = [{
            test     = "StringLike"
            variable = "kms:EncryptionContext:aws:cloudtrail:arn"
            values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${var.aws_region}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_trail_name}"]
          }]
        },
        {
          name    = "cloudtrail.amazonaws.com"
          actions = ["kms:DescribeKey"]
        },
      ]
    }
  }
}

Which leads to believe the SNS KMS key policy ought to allow access to CloudTrail. I am miss understanding the error message? Anyone else run into this issue?

---

Tracked in ticket #110099

[james03160927]

Hey @rsmets, are you using the SNS module in the terraform-aws-messaging repo to create an SNS topic? When using the module, you can pass in the kms_master_key_id variable. If you believe it's related to the key policy issue, you can grant the appropriate permission and see if that fixes the problem.

You can use the aws_kms_key resource to create a CMK and use the aws_iam_policy_document to configure key policy. FOr instance, the terraform code would look something like this:

resource "aws_kms_key" ".." {
  description = ...
  policy      = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "db_kms_key_policy" {
  statement {
    ...
  }
  statement {
    effect = "Allow"
    actions = [
      "kms:*",
    ]

    principals {
       ...
    }
    resources = ["*"]
  }
}

[rsmets]

Thank you @hongil0316 for the reply and suggested solution. I figured it may have been user error not being able to set the policy accordingly in the kms_master_key module directly. However, just using another resource to attach another policy is certainly a reasonable approach.

[james03160927]

Glad to hear that you were able to resolve the issue on your end. Please reach out to us if you have any additional questions!