Change to kms policy rather than adding to role

ministryofjustice · Sep 6, 2024 · 576e228 · 576e228
1 parent 4903476
commit 576e228
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 16 deletions.
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -295,21 +295,6 @@ data "aws_iam_policy_document" "developer_additional" {
  resources = ["arn:aws:sns:*:*:Automation*"]
  }
 
- statement {
- sid = "sesAllow"
- effect = "Allow"
- principals {
- type = "Service"
- identifiers = ["ses.amazonaws.com"]
- }
- actions = [
- "kms:GenerateDataKey",
- "kms:Decrypt"
- ]
- resources = ["*"]
-
- }
-
  statement {
  sid = "lambdaAllow"
  effect = "Allow"

diff --git a/terraform/modules/kms/main.tf b/terraform/modules/kms/main.tf
@@ -122,7 +122,10 @@ data "aws_iam_policy_document" "kms-general" {
 
  principals {
  type = "Service"
- identifiers = ["cloudwatch.amazonaws.com"]
+ identifiers = [
+ "cloudwatch.amazonaws.com",
+ "ses.amazonaws.com"
+ ]
  }
  }
 }