I have a lambda function that uses kms as so
{
"Sid": "KMSDecryption",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"${KMSArn}"
]
}
Originally i set it up in terraform to use the alias only, however this didnt work i had to reference the "arn" to allow the lambda access which makes sense.
{....
.....
policy_file = templatefile("lambda_policy.json", {
KMSArn = data.aws_kms_alias.key_alias.target_key_arn
})
}
data "aws_kms_alias" "key_alias" {
name = "alias/kms_test"
}
My question is since now the lambda policy has the "arn" in its policy which i have seen in the console. What happens when the keys are rotated, does AWS also update the arn on the lambda to point to the new key...
OR
is there a way to reference the alias in the lambda policy so that it wont matter?
CodePudding user response:
You need to reference the ARN in your policy. You shouldn't worry about rotation. From the