Amazon KMS Operations
Jump to navigation
Jump to search
Internal
CLI
CloudFormation
AWS::KMS::Key
It is usually a good idea to also create an AWS::KMS::Alias, as shown below:
Parameters:
SomeRoleArn:
Type: String
Default: arn:aws:iam::777777777777:role/playground-role
Resources:
CustomerMasterKey:
Type: AWS::KMS::Key
Properties:
Description: 'Microworld customer master key'
Enabled: 'true'
EnableKeyRotation: 'false'
KeyUsage: ENCRYPT_DECRYPT
PendingWindowInDays: 7
KeyPolicy:
Version: '2012-10-17'
Id: main-key-policy
Statement:
-
Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: 'kms:*'
Resource: '*'
-
Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Sub ${SomeRoleArn}
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
Tags:
- Key: Name
Value: infinity-master-key-3
CustomerMasterKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/infinity-master-key-3
TargetKeyId: !Ref CustomerMasterKey
Note that the role referred as "Principal" in the key policy must allow for KMS operations:
SomeRole:
Type: AWS::IAM::Role
Properties:
...
Policies:
- PolicyName: generic-in-line-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource: '*'
Effect: Allow
Action:
...
- 'kms:*'
For more details see: