Restrict KMS policy to caller AWS account (databricks#1309)

Current KMS policy is too large allowing all actions by any AWS account. Restrict it to the caller AWS account.
michael-berk · May 12, 2022 · eee882b · eee882b
1 parent 18e4957
commit eee882b
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/docs/resources/mws_customer_managed_keys.md b/docs/resources/mws_customer_managed_keys.md
@@ -27,14 +27,16 @@ variable "databricks_account_id" {
   description = "Account Id that could be found in the bottom left corner of https://accounts.cloud.databricks.com/"
 }
 
+data "aws_caller_identity" "current" {}
+
 data "aws_iam_policy_document" "databricks_managed_services_cmk" {
   version = "2012-10-17"
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [data.aws_caller_identity.current.account_id]
     }
     actions   = ["kms:*"]
     resources = ["*"]
@@ -92,7 +94,7 @@ data "aws_iam_policy_document" "databricks_storage_cmk" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [data.aws_caller_identity.current.account_id]
     }
     actions   = ["kms:*"]
     resources = ["*"]