@myhelix-cdk/aurora v0.36.2
aurora
audit
Our audit system still has some rough-edges.
First issue: the KMS key will need to be manually tweaked to allow the decrypter lambda access to it. Symptom: this appears in the decrypter lambda's CloudWatch log files:
2020-10-27T23:10:56.966Z f37cd160-4574-4512-90e5-88b7c3901890 INFO AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:52:27)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDeniedException',
time: 2020-10-27T23:10:56.966Z,
requestId: 'd0f7d504-a1aa-48b0-b7ad-86b9c94bb9cf',
statusCode: 400,
retryable: false,
retryDelay: 86.17884490516121
}
Solution: add the following stanza to the associated KMS key.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::032052122631:role/email-audit-AuditEventDecrypterRoleB56CA8C0-I6EQ03RY0K06"
},
"Action": [
"kms:Describe*",
"kms:Decrypt"
],
"Resource": "*"
},
Note: I have attempted to automate this with no success at audit.ts:83..91
.
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago