use super::*;
impl BucketWarden {
pub(crate) fn audit_kms_encrypt(
&mut self,
principal: &str,
resource: &str,
version_id: &str,
key_id: &str,
) {
self.audit.append(
principal,
"kms:Encrypt",
resource,
AuditOutcome::Allowed,
Some(format!("version_id={version_id};key_id={key_id}")),
);
}
pub(crate) fn audit_kms_decrypt(
&mut self,
principal: &str,
resource: &str,
version_id: &str,
key_id: &str,
) {
self.audit.append(
principal,
"kms:Decrypt",
resource,
AuditOutcome::Allowed,
Some(format!("version_id={version_id};key_id={key_id}")),
);
}
pub(crate) fn audit_kms_unwrap(
&mut self,
principal: &str,
resource: &str,
version_id: &str,
key_id: &str,
) {
self.audit.append(
principal,
"kms:UnwrapDataKey",
resource,
AuditOutcome::Allowed,
Some(format!("version_id={version_id};key_id={key_id}")),
);
}
pub(crate) fn audit_kms_admin(&mut self, actor: &str, action: &str, key_id: &str) {
self.audit.append(
actor,
action,
key_id,
AuditOutcome::Allowed,
Some("runtime-kms".to_string()),
);
}
pub(crate) fn audit_kms_failure(
&mut self,
principal: &str,
action: &str,
resource: &str,
key_id: &str,
reason: &str,
) {
self.audit.append(
principal,
action,
resource,
AuditOutcome::Denied,
Some(format!("key_id={key_id};reason={reason}")),
);
}
}