Amazon KMS Operations: Difference between revisions
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 13: | Line 13: | ||
==AWS::KMS::Key== | ==AWS::KMS::Key== | ||
It is usually a good idea to also create an AWS::KMS::Alias, as shown below: | |||
<syntaxhighlight lang='yaml'> | |||
Parameters: | |||
SomeRoleArn: | |||
Type: String | |||
Default: arn:aws:iam::777777777777:role/playground-role | |||
Resources: | |||
CustomerMasterKey: | |||
Type: AWS::KMS::Key | |||
Properties: | |||
Description: 'Microworld customer master key' | |||
Enabled: 'true' | |||
EnableKeyRotation: 'false' | |||
KeyUsage: ENCRYPT_DECRYPT | |||
PendingWindowInDays: 7 | |||
KeyPolicy: | |||
Version: '2012-10-17' | |||
Id: main-key-policy | |||
Statement: | |||
- | |||
Sid: Enable IAM User Permissions | |||
Effect: Allow | |||
Principal: | |||
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root | |||
Action: 'kms:*' | |||
Resource: '*' | |||
- | |||
Sid: Allow use of the key | |||
Effect: Allow | |||
Principal: | |||
AWS: !Sub ${SomeRoleArn} | |||
Action: | |||
- kms:DescribeKey | |||
- kms:Encrypt | |||
- kms:Decrypt | |||
- kms:ReEncrypt* | |||
- kms:GenerateDataKey | |||
- kms:GenerateDataKeyWithoutPlaintext | |||
Resource: '*' | |||
Tags: | |||
- Key: Name | |||
Value: infinity-master-key-3 | |||
CustomerMasterKeyAlias: | |||
Type: AWS::KMS::Alias | |||
Properties: | |||
AliasName: alias/infinity-master-key-3 | |||
TargetKeyId: !Ref CustomerMasterKey | |||
</syntaxhighlight> | |||
Note that the role referred as "Principal" in the key policy must allow for KMS operations: | |||
<syntaxhighlight lang='yaml'> | |||
SomeRole: | |||
Type: AWS::IAM::Role | |||
Properties: | |||
... | |||
Policies: | |||
- PolicyName: generic-in-line-policy | |||
PolicyDocument: | |||
Version: 2012-10-17 | |||
Statement: | |||
- Resource: '*' | |||
Effect: Allow | |||
Action: | |||
... | |||
- 'kms:*' | |||
</syntaxhighlight> | |||
For more details see: {{Internal|Amazon_KMS_Concepts#Master_Key_Permissions|Master Key Permissions}} | |||
Latest revision as of 02:21, 27 April 2019
Internal
CLI
CloudFormation
AWS::KMS::Key
It is usually a good idea to also create an AWS::KMS::Alias, as shown below:
Parameters:
SomeRoleArn:
Type: String
Default: arn:aws:iam::777777777777:role/playground-role
Resources:
CustomerMasterKey:
Type: AWS::KMS::Key
Properties:
Description: 'Microworld customer master key'
Enabled: 'true'
EnableKeyRotation: 'false'
KeyUsage: ENCRYPT_DECRYPT
PendingWindowInDays: 7
KeyPolicy:
Version: '2012-10-17'
Id: main-key-policy
Statement:
-
Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: 'kms:*'
Resource: '*'
-
Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Sub ${SomeRoleArn}
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
Tags:
- Key: Name
Value: infinity-master-key-3
CustomerMasterKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/infinity-master-key-3
TargetKeyId: !Ref CustomerMasterKey
Note that the role referred as "Principal" in the key policy must allow for KMS operations:
SomeRole:
Type: AWS::IAM::Role
Properties:
...
Policies:
- PolicyName: generic-in-line-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource: '*'
Effect: Allow
Action:
...
- 'kms:*'
For more details see: