Amazon KMS Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

CLI

Amazon KMS CLI

CloudFormation

KMS Resource Type Reference

AWS::KMS::Key

It is usually a good idea to also create an AWS::KMS::Alias, as shown below:

Parameters:
  SomeRoleArn:
    Type: String
    Default: arn:aws:iam::777777777777:role/playground-role

Resources:

  CustomerMasterKey:
    Type: AWS::KMS::Key
    Properties:
      Description: 'Microworld customer master key'
      Enabled: 'true'
      EnableKeyRotation: 'false'
      KeyUsage: ENCRYPT_DECRYPT
      PendingWindowInDays: 7
      KeyPolicy:
        Version: '2012-10-17'
        Id: main-key-policy
        Statement:
          -
            Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          -
            Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub ${SomeRoleArn}
            Action:
              - kms:DescribeKey
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey
              - kms:GenerateDataKeyWithoutPlaintext
            Resource: '*'
      Tags:
        - Key: Name
          Value: infinity-master-key-3

  CustomerMasterKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/infinity-master-key-3
      TargetKeyId: !Ref CustomerMasterKey

Note that the role referred as "Principal" in the key policy must allow for KMS operations:

  SomeRole:
    Type: AWS::IAM::Role
    Properties:
      ...
      Policies:
        - PolicyName: generic-in-line-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource: '*'
                Effect: Allow
                Action:
                  ...
                  - 'kms:*'

For more details see:

Master Key Permissions