From 88de6c8fbb9f977fbfdde766bdbefc9b65551271 Mon Sep 17 00:00:00 2001 From: n0pants <115878167+n0pants@users.noreply.github.com> Date: Wed, 5 Nov 2025 14:23:24 +0100 Subject: [PATCH 1/2] AWS KMS.1 compliant policy with dedicated kms key list Wildcard permissions on all kms keys is a security issue. Allowing access to only dedicated KMS keys keeps the setup secure. Keys using default encryption aws/secretsmanager are accessible by default. --- aws/logs_monitoring/template.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml index 1fe61851..b0a035c6 100644 --- a/aws/logs_monitoring/template.yaml +++ b/aws/logs_monitoring/template.yaml @@ -289,6 +289,9 @@ Parameters: - "true" - "false" Description: Set to true to enable enhanced Lambda metrics. This will generate additional custom metrics for Lambda functions, including cold starts, estimated AWS costs, and custom tags. Default is false. + KmsKeyList: + Type: CommaDelimitedList + Description: List of KMS Key ARNs the Lambda forwarder function can use to decrypt, seperated by comma Conditions: IsAWSChina: !Equals [!Ref "AWS::Partition", aws-cn] IsGovCloud: !Equals [!Ref "AWS::Partition", aws-us-gov] @@ -378,6 +381,8 @@ Conditions: - !Equals [!Join ["", !Ref VPCSubnetIds], ""] SetDdLogLevel: !Not - !Equals [!Ref DdLogLevel, ""] + SetDdForwarderDecrypt: !Not + - !Equals [!Join ["", !Ref KmsKeyList], ""] Rules: MustSetDdApiKey: Assertions: @@ -654,10 +659,13 @@ Resources: Effect: Allow # To get object from encrypted s3 buckets. Use PermissionsBoundaryArn to limit access if needed. # https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/#AWS_KMS_encryption - - Action: - - kms:Decrypt - Resource: "*" - Effect: Allow + - !If + - SetDdForwarderDecrypt + - Action: + - kms:Decrypt + Resource: !Ref KmsKeyList + Effect: Allow + - !Ref AWS::NoValue - !If - SetDDApiSsmParamName # Access the Datadog API key from Secrets Manager - !Ref AWS::NoValue From af83439c3c7f0d443f4892f07f077f2498996d0a Mon Sep 17 00:00:00 2001 From: n0pants <115878167+n0pants@users.noreply.github.com> Date: Fri, 14 Nov 2025 10:54:14 +0100 Subject: [PATCH 2/2] refactor kms:Decrypt policy Input parameter KmsKeyList set default empty, gives permission on all resources. Override allow explicit list via input parameter --- aws/logs_monitoring/template.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml index b0a035c6..05758fa9 100644 --- a/aws/logs_monitoring/template.yaml +++ b/aws/logs_monitoring/template.yaml @@ -291,6 +291,7 @@ Parameters: Description: Set to true to enable enhanced Lambda metrics. This will generate additional custom metrics for Lambda functions, including cold starts, estimated AWS costs, and custom tags. Default is false. KmsKeyList: Type: CommaDelimitedList + Default: "" Description: List of KMS Key ARNs the Lambda forwarder function can use to decrypt, seperated by comma Conditions: IsAWSChina: !Equals [!Ref "AWS::Partition", aws-cn] @@ -381,7 +382,7 @@ Conditions: - !Equals [!Join ["", !Ref VPCSubnetIds], ""] SetDdLogLevel: !Not - !Equals [!Ref DdLogLevel, ""] - SetDdForwarderDecrypt: !Not + SetDdForwarderDecryptKeys: !Not - !Equals [!Join ["", !Ref KmsKeyList], ""] Rules: MustSetDdApiKey: @@ -659,13 +660,13 @@ Resources: Effect: Allow # To get object from encrypted s3 buckets. Use PermissionsBoundaryArn to limit access if needed. # https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/#AWS_KMS_encryption - - !If - - SetDdForwarderDecrypt - - Action: - - kms:Decrypt - Resource: !Ref KmsKeyList - Effect: Allow - - !Ref AWS::NoValue + - Action: + - kms:Decrypt + Resource: !If + - SetDdForwarderDecryptKeys + - !Ref KmsKeyList + - "*" + Effect: Allow - !If - SetDDApiSsmParamName # Access the Datadog API key from Secrets Manager - !Ref AWS::NoValue