From b56433f8fd658cecf3da66e0d7f90b3934717770 Mon Sep 17 00:00:00 2001
From: Karan Shah <awskaran@amazon.co.uk>
Date: Thu, 26 May 2022 10:06:13 +0100
Subject: [PATCH] adding permissions - Allowing SES to use CMK for SNS topic
 through resource policy

---
 .../egress_backend/egress_backend_stack.py       | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/components/egress_app_backend/egress_backend/egress_backend_stack.py b/src/components/egress_app_backend/egress_backend/egress_backend_stack.py
index 62a2d60a..efe5db6e 100644
--- a/src/components/egress_app_backend/egress_backend/egress_backend_stack.py
+++ b/src/components/egress_app_backend/egress_backend/egress_backend_stack.py
@@ -162,6 +162,22 @@ def __init__(
             )
         )
 
+        sns_kms_key.add_to_resource_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                principals=[
+                    iam.ServicePrincipal("ses.amazonaws.com"),
+                ],
+                resources=[
+                    "*",
+                ],
+                actions=[
+                    "kms:GenerateDataKey*",
+                    "kms:Decrypt",
+                ],
+            )
+        )
+
         # Custom resource to handle email identity verification
         ses_sender_email_verification = EmailIdentityVerificationCustomResource(
             self,