Amazon KMS Operations: Difference between revisions
Jump to navigation
Jump to search
(One intermediate revision by the same user not shown) | |||
Line 17: | Line 17: | ||
<syntaxhighlight lang='yaml'> | <syntaxhighlight lang='yaml'> | ||
Parameters: | Parameters: | ||
SomeRoleArn: | |||
Type: String | Type: String | ||
Default: arn:aws:iam::777777777777:role/playground | Default: arn:aws:iam::777777777777:role/playground-role | ||
Resources: | Resources: | ||
Line 46: | Line 46: | ||
Effect: Allow | Effect: Allow | ||
Principal: | Principal: | ||
AWS: !Sub ${ | AWS: !Sub ${SomeRoleArn} | ||
Action: | Action: | ||
- kms:DescribeKey | - kms:DescribeKey | ||
Line 65: | Line 65: | ||
TargetKeyId: !Ref CustomerMasterKey | TargetKeyId: !Ref CustomerMasterKey | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Note that the role referred as "Principal" in the key policy must allow for KMS operations: | |||
<syntaxhighlight lang='yaml'> | |||
SomeRole: | |||
Type: AWS::IAM::Role | |||
Properties: | |||
... | |||
Policies: | |||
- PolicyName: generic-in-line-policy | |||
PolicyDocument: | |||
Version: 2012-10-17 | |||
Statement: | |||
- Resource: '*' | |||
Effect: Allow | |||
Action: | |||
... | |||
- 'kms:*' | |||
</syntaxhighlight> | |||
For more details see: {{Internal|Amazon_KMS_Concepts#Master_Key_Permissions|Master Key Permissions}} |
Latest revision as of 02:21, 27 April 2019
Internal
CLI
CloudFormation
AWS::KMS::Key
It is usually a good idea to also create an AWS::KMS::Alias, as shown below:
Parameters:
SomeRoleArn:
Type: String
Default: arn:aws:iam::777777777777:role/playground-role
Resources:
CustomerMasterKey:
Type: AWS::KMS::Key
Properties:
Description: 'Microworld customer master key'
Enabled: 'true'
EnableKeyRotation: 'false'
KeyUsage: ENCRYPT_DECRYPT
PendingWindowInDays: 7
KeyPolicy:
Version: '2012-10-17'
Id: main-key-policy
Statement:
-
Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: 'kms:*'
Resource: '*'
-
Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Sub ${SomeRoleArn}
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
Tags:
- Key: Name
Value: infinity-master-key-3
CustomerMasterKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/infinity-master-key-3
TargetKeyId: !Ref CustomerMasterKey
Note that the role referred as "Principal" in the key policy must allow for KMS operations:
SomeRole:
Type: AWS::IAM::Role
Properties:
...
Policies:
- PolicyName: generic-in-line-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource: '*'
Effect: Allow
Action:
...
- 'kms:*'
For more details see: