@myhelix-cdk/aurora v0.36.2

aurora

audit

Our audit system still has some rough-edges.

First issue: the KMS key will need to be manually tweaked to allow the decrypter lambda access to it. Symptom: this appears in the decrypter lambda's CloudWatch log files:

2020-10-27T23:10:56.966Z	f37cd160-4574-4512-90e5-88b7c3901890	INFO	AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
    at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'AccessDeniedException',
  time: 2020-10-27T23:10:56.966Z,
  requestId: 'd0f7d504-a1aa-48b0-b7ad-86b9c94bb9cf',
  statusCode: 400,
  retryable: false,
  retryDelay: 86.17884490516121
}

Solution: add the following stanza to the associated KMS key.

        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::032052122631:role/email-audit-AuditEventDecrypterRoleB56CA8C0-I6EQ03RY0K06"
            },
            "Action": [
                "kms:Describe*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        },

Note: I have attempted to automate this with no success at audit.ts:83..91.