35 lines
854 B
Text
35 lines
854 B
Text
|
{
|
||
|
|
"Version": "2012-10-17",
|
||
|
|
"Id": "CloudTrailPolicy",
|
||
|
|
"Statement": [
|
||
|
|
{
|
||
|
|
"Sid": "EncryptLogs",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||
|
|
"Action": "kms:GenerateDataKey*",
|
||
|
|
"Resource": "*",
|
||
|
|
"Condition": {
|
||
|
|
"StringLike": {
|
||
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": [
|
||
|
|
"arn:aws:cloudtrail:*:{{ aws_caller_info.account }}:trail/{{ resource_prefix }}*"
|
||
|
|
]
|
||
|
|
}
|
||
|
|
}
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"Sid": "DescribeKey",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||
|
|
"Action": "kms:DescribeKey",
|
||
|
|
"Resource": "*"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"Sid": "AnsibleTestManage",
|
||
|
|
"Effect": "Allow",
|
||
|
|
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
|
||
|
|
"Action": "*",
|
||
|
|
"Resource": "*"
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|