Restrict KMS policy to caller AWS account

Current KMS policy is too large allowing all actions by any AWS account. Restrict it to the caller AWS account.
databricks · May 12, 2022 · 3501b16 · 3501b16
1 parent 24ed7fd
commit 3501b16
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/docs/resources/mws_customer_managed_keys.md b/docs/resources/mws_customer_managed_keys.md
@@ -27,14 +27,16 @@ variable "databricks_account_id" {
   description = "Account Id that could be found in the bottom left corner of https://accounts.cloud.databricks.com/"
 }
 
+data "aws_caller_identity" "current" {}
+
 data "aws_iam_policy_document" "databricks_managed_services_cmk" {
   version = "2012-10-17"
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [data.aws_caller_identity.current.account_id]
     }
     actions   = ["kms:*"]
     resources = ["*"]