add log groups to key policy

mprzytulski · mprzytulski · commit 1459e8bc92dc · 2022-08-22T12:45:21.000+02:00
diff --git a/serverless/aws/features/encryption.py b/serverless/aws/features/encryption.py
@@ -1,4 +1,5 @@
 from troposphere.kms import Alias, Key
+from troposphere.logs import LogGroup
 
 from serverless.service.plugins.kms import KMSGrant
 from serverless.service.plugins.scriptable import Scriptable
@@ -67,26 +68,31 @@ def pre_render(self, service):
                 resource.DependsOn = "ServiceEncryptionKeyAlias"
 
         for fn in service.functions.all():
-            self.key.KeyPolicy["Statement"].append(
-                {
-                    "Effect": "Allow",
-                    "Principal": {"Service": "logs.${aws:region}.amazonaws.com"},
-                    "Action": [
-                        "kms:Encrypt*",
-                        "kms:Decrypt*",
-                        "kms:ReEncrypt*",
-                        "kms:GenerateDataKey*",
-                        "kms:Describe*",
-                    ],
-                    "Resource": "*",
-                    "Condition": {
-                        "ArnLike": {
-                            "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:${aws:region}:${aws:accountId}:log-group:/aws/lambda/"
-                            + fn.name.spinal
-                        }
-                    },
+            self.key.KeyPolicy["Statement"].append(self.create_log_group_kms_statement("arn:aws:logs:${aws:region}:${aws:accountId}:log-group:/aws/lambda/" + fn.name.spinal))
+
+        for resource in service.resources.all():
+            if isinstance(resource, LogGroup):
+                if resource.properties.get("KmsKeyId") is not None:
+                    self.key.KeyPolicy["Statement"].append(self.create_log_group_kms_statement("arn:aws:logs:${aws:region}:${aws:accountId}:log-group:" + resource.LogGroupName))
+
+    def create_log_group_kms_statement(self, log_group):
+        return {
+            "Effect": "Allow",
+            "Principal": {"Service": "logs.${aws:region}.amazonaws.com"},
+            "Action": [
+                "kms:Encrypt*",
+                "kms:Decrypt*",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:Describe*",
+            ],
+            "Resource": "*",
+            "Condition": {
+                "ArnLike": {
+                    "kms:EncryptionContext:aws:logs:arn": log_group
                 }
-            )
+            },
+        }
 
     def enable(self, service):
         if not service.regions:
