Merge pull request #81 from ScaleSec/kms

security_controls_scp/modules/kms/deny_kms_custom_key_store.tf

@@ -0,0 +1,33 @@
+#-----security_controls_scp/modules/kms/deny_kms_custom_key_store.tf----#
+
+data "aws_iam_policy_document" "deny_kms_custom_key_store" {
+  statement {
+    sid = "DenyKmsCustomKeyStore"
+
+    actions = [
+      "kms:CreateCustomKeyStore",
+      "kms:UpdateCustomKeyStore",
+      "kms:ConnectCustomKeyStore",
+      "kms:DisconnectCustomKeyStore",
+      "kms:DeleteCustomKeyStore",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    effect = "Deny"
+  }
+}
+
+resource "aws_organizations_policy" "deny_kms_custom_key_store" {
+  name        = "Deny KMS custom key store"
+  description = "Deny the ability to use KMS custom key store
+
+  content = data.aws_iam_policy_document.deny_kms_custom_key_store.json
+}
+
+resource "aws_organizations_policy_attachment" "deny_kms_custom_key_store_attachment" {
+  policy_id = aws_organizations_policy.deny_kms_custom_key_store.id
+  target_id = var.target_id
+}

security_controls_scp/modules/kms/variables.tf

@@ -0,0 +1,5 @@
+#-----security_controls_scp/modules/kms/variables.tf----#
+variable "target_id" {
+  description = "The Root ID, Organizational Unit ID, or AWS Account ID to apply SCPs."
+  type        = string
+}