From 78ea6f58313364de55c4e2a282c0f2f9bb77207a Mon Sep 17 00:00:00 2001
From: ASubaran <akra2@hscic.gov.uk>
Date: Thu, 2 Jan 2025 14:22:17 +0000
Subject: [PATCH 1/3] AMB-2337- Tech Debt - Terraform Missing Security Best
 Practices

---
 infra/audit_db.tf   |  5 +++-
 infra/delta_db.tf   |  4 +++
 infra/endpoints.tf  |  2 +-
 infra/imms_db.tf    |  4 +++
 infra/kms_dynamo.tf | 66 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 infra/kms_dynamo.tf

diff --git a/infra/audit_db.tf b/infra/audit_db.tf
index b7a1b7cbc..cf93fc3ca 100644
--- a/infra/audit_db.tf
+++ b/infra/audit_db.tf
@@ -22,5 +22,8 @@ resource "aws_dynamodb_table" "audit-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
-    
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/delta_db.tf b/infra/delta_db.tf
index 690283c1a..3ba462aec 100644
--- a/infra/delta_db.tf
+++ b/infra/delta_db.tf
@@ -47,4 +47,8 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/endpoints.tf b/infra/endpoints.tf
index c2051dfa1..954f91095 100644
--- a/infra/endpoints.tf
+++ b/infra/endpoints.tf
@@ -5,7 +5,7 @@ resource "aws_security_group" "lambda_redis_sg" {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["172.31.0.0/16"]
   }
 
   egress {
diff --git a/infra/imms_db.tf b/infra/imms_db.tf
index 1e45f5a4d..6cb9f0f0b 100644
--- a/infra/imms_db.tf
+++ b/infra/imms_db.tf
@@ -42,4 +42,8 @@ resource "aws_dynamodb_table" "events-dynamodb-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/kms_dynamo.tf b/infra/kms_dynamo.tf
new file mode 100644
index 000000000..eaab93046
--- /dev/null
+++ b/infra/kms_dynamo.tf
@@ -0,0 +1,66 @@
+ resource "aws_kms_key" "dynamodb_encryption" {
+  description         = "KMS key for DynamoDB encryption"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "key-default-1",
+  "Statement": [
+    {
+      "Sid": "Allow administration of the key",
+      "Effect": "Allow",
+      "Principal": { "AWS": "arn:aws:iam::345594581768:root" },
+      "Action": [
+        "kms:Create*",
+        "kms:Describe*",
+        "kms:Enable*",
+        "kms:List*",
+        "kms:Put*",
+        "kms:Update*",
+        "kms:Revoke*",
+        "kms:Disable*",
+        "kms:Get*",
+        "kms:Delete*",
+        "kms:ScheduleKeyDeletion",
+        "kms:CancelKeyDeletion",
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+        "kms:Tag*"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::345594581768:role/auto-ops"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access for DevOps",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::345594581768:role/DevOps"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+ 
+resource "aws_kms_alias" "dynamodb_encryption" {
+  name          = "alias/imms-event-dynamodb-encryption"
+  target_key_id = aws_kms_key.dynamodb_encryption.key_id
+}
+
+data "aws_kms_key" "existing_dynamo_encryption_arn" {
+  key_id = "alias/imms-event-dynamodb-encryption"
+  arn = aws_kms_key.dynamodb_encryption.arn
+}
\ No newline at end of file

From f8c5a36d22da9fc8bac30112c549fa680984b92a Mon Sep 17 00:00:00 2001
From: ASubaran <akra2@hscic.gov.uk>
Date: Mon, 6 Jan 2025 10:54:18 +0000
Subject: [PATCH 2/3] Updated the terraform

---
 infra/endpoints.tf | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/infra/endpoints.tf b/infra/endpoints.tf
index 954f91095..7e61e0d42 100644
--- a/infra/endpoints.tf
+++ b/infra/endpoints.tf
@@ -1,6 +1,8 @@
 resource "aws_security_group" "lambda_redis_sg" {
   vpc_id = data.aws_vpc.default.id
   name   = "immunisation-security-group"
+
+  # Inbound rule to allow traffic only from the VPC CIDR block
   ingress {
     from_port   = 0
     to_port     = 0
@@ -8,11 +10,24 @@ resource "aws_security_group" "lambda_redis_sg" {
     cidr_blocks = ["172.31.0.0/16"]
   }
 
+  # Outbound rules to specific AWS services using prefix lists
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    prefix_list_ids = [
+      "pl-7ca54015",
+      "pl-93a247fa",
+      "pl-b3a742da"
+    ]
+  }
+
+  # Egress rule to allow communication within the same security group
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    self            = true
   }
 }
 

From dafb7cb229d31ee262d1e52ec7849e9333323f4e Mon Sep 17 00:00:00 2001
From: ASubaran <akra2@hscic.gov.uk>
Date: Tue, 7 Jan 2025 12:37:51 +0000
Subject: [PATCH 3/3] Added the dynamo_key_access for all lambdas

---
 terraform/delta.tf                        |  3 +++
 terraform/endpoints.tf                    |  3 +++
 terraform/file_name_processor.tf          |  5 ++++-
 terraform/forwarder_lambda.tf             |  3 ++-
 terraform/policies/dynamo_key_access.json | 16 ++++++++++++++++
 terraform/variables.tf                    |  4 ++++
 6 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 terraform/policies/dynamo_key_access.json

diff --git a/terraform/delta.tf b/terraform/delta.tf
index 9a3c7674a..8075526a1 100644
--- a/terraform/delta.tf
+++ b/terraform/delta.tf
@@ -85,6 +85,9 @@ data "aws_iam_policy_document" "delta_policy_document" {
         templatefile("${local.policy_path}/aws_sqs_queue.json", {
             "aws_sqs_queue_name" : aws_sqs_queue.dlq.name
         } ),
+        templatefile("${local.policy_path}/dynamo_key_access.json", {
+            "dynamo_encryption_key" : data.aws_kms_key.existing_dynamo_encryption_key.arn
+        }),
         templatefile("${local.policy_path}/aws_sns_topic.json", {
             "aws_sns_topic_name" : aws_sns_topic.delta_sns.name
         } ),
diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf
index 8c1bf4307..0764d6f63 100644
--- a/terraform/endpoints.tf
+++ b/terraform/endpoints.tf
@@ -42,6 +42,9 @@ data "aws_iam_policy_document" "imms_policy_document" {
             "local_account" : local.local_account_id
             "queue_prefix" : local.short_prefix
         } ),
+        templatefile("${local.policy_path}/dynamo_key_access.json", {
+            "dynamo_encryption_key" : data.aws_kms_key.existing_dynamo_encryption_key.arn
+        } ),
         templatefile("${local.policy_path}/log_kinesis.json", {
             "kinesis_stream_name" : module.splunk.firehose_stream_name
         } ),
diff --git a/terraform/file_name_processor.tf b/terraform/file_name_processor.tf
index 922135dcb..afede93bf 100644
--- a/terraform/file_name_processor.tf
+++ b/terraform/file_name_processor.tf
@@ -198,7 +198,10 @@ resource "aws_iam_policy" "filenameprocessor_lambda_kms_access_policy" {
           "kms:Decrypt",
           "kms:GenerateDataKey*"
         ]
-        Resource = data.aws_kms_key.existing_s3_encryption_key.arn
+        Resource = [
+            data.aws_kms_key.existing_s3_encryption_key.arn,
+            data.aws_kms_key.existing_dynamo_encryption_key.arn
+        ]
       }
     ]
   })
diff --git a/terraform/forwarder_lambda.tf b/terraform/forwarder_lambda.tf
index 6463efb1a..93e936c51 100644
--- a/terraform/forwarder_lambda.tf
+++ b/terraform/forwarder_lambda.tf
@@ -148,7 +148,8 @@ resource "aws_iam_policy" "forwarding_lambda_exec_policy" {
           "kms:Decrypt",
           "kms:GenerateDataKey*"
         ]
-        Resource = data.aws_kms_key.existing_s3_encryption_key.arn
+        Resource = [data.aws_kms_key.existing_s3_encryption_key.arn,
+                    data.aws_kms_key.existing_dynamo_encryption_key.arn]
       },
       {
         Effect   = "Allow"
diff --git a/terraform/policies/dynamo_key_access.json b/terraform/policies/dynamo_key_access.json
new file mode 100644
index 000000000..d5a58cfb0
--- /dev/null
+++ b/terraform/policies/dynamo_key_access.json
@@ -0,0 +1,16 @@
+{
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey*"
+      ],
+        "Resource" : [
+            "${dynamo_encryption_key}"
+        ]
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 4a401774d..b52c1b9db 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -52,6 +52,10 @@ data "aws_kms_key" "existing_s3_encryption_key" {
   key_id = "alias/imms-batch-s3-shared-key"
 }
 
+data "aws_kms_key" "existing_dynamo_encryption_key" {
+  key_id = "alias/imms-event-dynamodb-encryption"
+}
+
 variable "aws_region" {
     default = "eu-west-2"
 }