Fix checkov scan findings

cloudwatch.tf

@@ -2,7 +2,7 @@
 resource "aws_cloudwatch_log_group" "lambda_log" {
   name              = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}"
   retention_in_days = 365
-  kms_key_id        = aws_kms_key.encryption_rest.arn
+  kms_key_id        = aws_kms_key.encryption.arn
 }
 #
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream

iam_role.tf

@@ -40,12 +40,20 @@ resource "aws_iam_policy" "lambda_policy" {
         ],
         Resource = [local.cloudwatch_log_group_arn]
       },
+      {
+        Effect = "Allow"
+        Action = [
+          "sqs:SendMessage",
+          "sqs:GetQueueAttributes"
+        ]
+        Resource = aws_sqs_queue.dlq.arn
+      },
       {
         Effect = "Allow",
         Action = [
           "kms:Decrypt"
         ]
-        Resource = [aws_kms_key.encryption_rest.arn]
+        Resource = [aws_kms_key.encryption.arn]
       }
     ]
   })

kms.tf

@@ -1,50 +1,113 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
-resource "aws_kms_key" "encryption_rest" {
+resource "aws_kms_key" "encryption" {
   enable_key_rotation     = true
-  description             = "Key to encrypt Amazon CloudWatch logs at rest."
+  description             = "Key to encrypt all the cloud resources in ${var.name}."
   deletion_window_in_days = 7
-  #checkov:skip=CKV2_AWS_64: KMS Key policy in a separate resource
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
-resource "aws_kms_alias" "encryption_rest" {
-  name          = "alias/lambda-${var.name}-at-rest"
-  target_key_id = aws_kms_key.encryption_rest.key_id
+resource "aws_kms_alias" "encryption" {
+  name          = "alias/${var.name}"
+  target_key_id = aws_kms_key.encryption.key_id
 }
-#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
-resource "aws_kms_key_policy" "encryption_rest_policy" {
-  key_id = aws_kms_key.encryption_rest.id
-  policy = jsonencode({
-    Id = "encryption-rest"
-    Statement = [
-      {
-        Action = "kms:*"
-        Effect = "Allow"
-        Principal = {
-          AWS = "${local.principal_root_arn}"
-        }
-        Resource = "*"
-        Sid      = "Enable IAM User Permissions"
-      },
-      {
-        Effect : "Allow",
-        Principal : {
-          Service : "${local.principal_logs_arn}"
-        },
-        Action : [
-          "kms:Encrypt*",
-          "kms:Decrypt*",
-          "kms:ReEncrypt*",
-          "kms:GenerateDataKey*",
-          "kms:Describe*"
-        ],
-        Resource : "*",
-        Condition : {
-          ArnEquals : {
-            "kms:EncryptionContext:aws:logs:arn" : [local.cloudwatch_log_group_arn]
-          }
-        }
-      }
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
+data "aws_iam_policy_document" "encryption_policy" {
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:Create*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+      "kms:TagResource",
+      "kms:UntagResource"
+    ]
+    resources = [aws_kms_key.encryption.arn]
+  }
+  statement {
+    sid    = "Allow CloudWatch to use the key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:CreateGrant"
+    ]
+    resources = [aws_kms_key.encryption.arn]
+    condition {
+      test     = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values   = [local.cloudwatch_log_group_arn]
+    }
+  }
+  statement {
+    sid    = "Allow Lambda to use the key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+      "kms:CreateGrant"
     ]
-    Version = "2012-10-17"
-  })
+    resources = [aws_kms_key.encryption.arn]
+  }
+  statement {
+    sid    = "Allow SSM to use the key"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["ssm.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.encryption.arn]
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["ssm.${var.region}.amazonaws.com"]
+    }
+  }
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
+resource "aws_kms_key_policy" "encryption" {
+  key_id = aws_kms_key.encryption.id
+  policy = data.aws_iam_policy_document.encryption_policy.json
 }

lambda.tf

@@ -12,7 +12,7 @@ resource "aws_lambda_function" "lambda_run" {
   role             = aws_iam_role.lambda_role.arn
   handler          = "handler.lambda_handler"
   runtime          = "python3.8"
-  kms_key_arn      = aws_kms_key.encryption_rest.arn
+  kms_key_arn      = aws_kms_key.encryption.arn
   logging_config {
     log_format       = "JSON"
     log_group        = aws_cloudwatch_log_group.lambda_log.name
@@ -25,11 +25,13 @@ resource "aws_lambda_function" "lambda_run" {
       log_stream_name = aws_cloudwatch_log_stream.log_stream.name
     }
   }
+  #https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
+  dead_letter_config {
+    target_arn = aws_sqs_queue.dlq.arn
+  }
+  reserved_concurrent_executions = 5
   #checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda
-  #checkov:skip=CKV_AWS_115: Not applicable in this use case: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
   #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
-  #checkov:skip=CKV_AWS_116: Not applicable in this use case
-  #checkov:skip=CKV_AWS_173: Not applicable in this use case
   #checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule

sqs.tf

@@ -0,0 +1,6 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue
+resource "aws_sqs_queue" "dlq" {
+  name                              = "${var.name}-lambda-dlq"
+  kms_master_key_id                 = aws_kms_key.encryption.arn
+  kms_data_key_reuse_period_seconds = 300
+}

ssm_parameter.tf

@@ -2,6 +2,6 @@
 resource "aws_ssm_parameter" "parameter" {
   name   = "/${var.name}"
   type   = "SecureString"
-  key_id = aws_kms_key.encryption_rest.id
+  key_id = aws_kms_key.encryption.id
   value  = "1234567890"
 }