Amazon KMS Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 13: Line 13:
==AWS::KMS::Key==
==AWS::KMS::Key==


Resources:
It is usually a good idea to also create an AWS::KMS::Alias, as shown below:
  CustomerMasterKey:
 
    Type: AWS::KMS::Key
<syntaxhighlight lang='yaml'>
Parameters:
  MicroworldTaskExecutionRoleArn:
    Type: String
    Default: arn:aws:iam::777777777777:role/playground-task-execution-role
 
Resources:
 
  CustomerMasterKey:
    Type: AWS::KMS::Key
    Properties:
      Description: 'Microworld customer master key'
      Enabled: 'true'
      EnableKeyRotation: 'false'
      KeyUsage: ENCRYPT_DECRYPT
      PendingWindowInDays: 7
      KeyPolicy:
        Version: '2012-10-17'
        Id: main-key-policy
        Statement:
          -
            Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          -
            Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub ${MicroworldTaskExecutionRoleArn}
            Action:
              - kms:DescribeKey
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey
              - kms:GenerateDataKeyWithoutPlaintext
            Resource: '*'
      Tags:
        - Key: Name
          Value: infinity-master-key-3
 
  CustomerMasterKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/infinity-master-key-3
      TargetKeyId: !Ref CustomerMasterKey
</syntaxhighlight>

Revision as of 01:03, 27 April 2019

Internal

CLI

Amazon KMS CLI

CloudFormation

KMS Resource Type Reference

AWS::KMS::Key

It is usually a good idea to also create an AWS::KMS::Alias, as shown below: 

Parameters:
  MicroworldTaskExecutionRoleArn:
    Type: String
    Default: arn:aws:iam::777777777777:role/playground-task-execution-role

Resources:

  CustomerMasterKey:
    Type: AWS::KMS::Key
    Properties:
      Description: 'Microworld customer master key'
      Enabled: 'true'
      EnableKeyRotation: 'false'
      KeyUsage: ENCRYPT_DECRYPT
      PendingWindowInDays: 7
      KeyPolicy:
        Version: '2012-10-17'
        Id: main-key-policy
        Statement:
          -
            Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          -
            Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub ${MicroworldTaskExecutionRoleArn}
            Action:
              - kms:DescribeKey
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey
              - kms:GenerateDataKeyWithoutPlaintext
            Resource: '*'
      Tags:
        - Key: Name
          Value: infinity-master-key-3

  CustomerMasterKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/infinity-master-key-3
      TargetKeyId: !Ref CustomerMasterKey
Retrieved from "https://kb.novaordis.com/index.php?title=Amazon_KMS_Operations&oldid=58410"