Knowledge Base

Issues using the CloudTrail module with a connect SNS topic.

View full discussion in GitHub

Answer

Upon trying to connect the SNS networking module with the security CloudTrail module I met with the error: ``` Error: updating CloudTrail Trail (main-all-regions-trail): InsufficientSnsTopicPolicyException: The customer-managed key (CMK) associated with this SNS topic either does not exist or does not allow access to CloudTrail. Edit the key policy to allow access to CloudTrail. ``` It is worth noting that I am using a CMK KMS key, which is created along side the other module listed above via the KMS master key module. My value for the SNS module's `allow_published_services` is: ``` allow_publish_services = [ "events.amazonaws.com", "cloudwatch.amazonaws.com", "cloudtrail.amazonaws.com" ] ``` As well as the KMS key has the following policy: ``` module "kms_master_key" { source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-master-key?ref=v0.67.5" customer_master_keys = { (var.cloudtrail_trail_name) = { deletion_window_in_days = 7 cmk_administrator_iam_arns = var.kms_key_administrator_iam_arns cmk_user_iam_arns = var.kms_key_user_iam_arns cmk_service_principals = [ { name = "cloudtrail.amazonaws.com" actions = ["kms:GenerateDataKey*", "kms:Decrypt"] conditions = [{ test = "StringLike" variable = "kms:EncryptionContext:aws:cloudtrail:arn" values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${var.aws_region}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_trail_name}"] }] }, { name = "cloudtrail.amazonaws.com" actions = ["kms:DescribeKey"] }, ] } } } ``` Which leads to believe the SNS KMS key policy ought to allow access to CloudTrail. I am miss understanding the error message? Anyone else run into this issue? --- <ins datetime="2023-04-20T00:11:09Z"> <p><a href="https://support.gruntwork.io/hc/requests/110099">Tracked in ticket #110099</a></p> </ins>

Hey @rsmets, are you using the SNS module in the `terraform-aws-messaging` repo to create an SNS topic? When using the module, you can pass in the `kms_master_key_id` variable. If you believe it's related to the key policy issue, you can grant the appropriate permission and see if that fixes the problem. You can use the `aws_kms_key` resource to create a CMK and use the `aws_iam_policy_document` to configure key policy. FOr instance, the terraform code would look something like this: ``` resource "aws_kms_key" ".." { description = ... policy = data.aws_iam_policy_document.example.json } data "aws_iam_policy_document" "db_kms_key_policy" { statement { ... } statement { effect = "Allow" actions = [ "kms:*", ] principals { ... } resources = ["*"] } } ```