Amazon KMS Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 17: Line 17:
<syntaxhighlight lang='yaml'>
<syntaxhighlight lang='yaml'>
Parameters:
Parameters:
   MicroworldTaskExecutionRoleArn:
   SomeRoleArn:
     Type: String
     Type: String
     Default: arn:aws:iam::777777777777:role/playground-task-execution-role
     Default: arn:aws:iam::777777777777:role/playground-role


Resources:
Resources:
Line 46: Line 46:
             Effect: Allow
             Effect: Allow
             Principal:
             Principal:
               AWS: !Sub ${MicroworldTaskExecutionRoleArn}
               AWS: !Sub ${SomeRoleArn}
             Action:
             Action:
               - kms:DescribeKey
               - kms:DescribeKey
Line 64: Line 64:
       AliasName: alias/infinity-master-key-3
       AliasName: alias/infinity-master-key-3
       TargetKeyId: !Ref CustomerMasterKey
       TargetKeyId: !Ref CustomerMasterKey
</syntaxhighlight>
Note that the role referred as "Principal" in the key policy must allow for KMS operations:
<syntaxhighlight lang='yaml'>
  SomeRole:
    Type: AWS::IAM::Role
    Properties:
      ...
      Policies:
        - PolicyName: generic-in-line-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource: '*'
                Effect: Allow
                Action:
                  ...
                  - 'kms:*'
</syntaxhighlight>
</syntaxhighlight>

Revision as of 02:16, 27 April 2019

Internal

CLI

Amazon KMS CLI

CloudFormation

KMS Resource Type Reference

AWS::KMS::Key

It is usually a good idea to also create an AWS::KMS::Alias, as shown below:

Parameters:
  SomeRoleArn:
    Type: String
    Default: arn:aws:iam::777777777777:role/playground-role

Resources:

  CustomerMasterKey:
    Type: AWS::KMS::Key
    Properties:
      Description: 'Microworld customer master key'
      Enabled: 'true'
      EnableKeyRotation: 'false'
      KeyUsage: ENCRYPT_DECRYPT
      PendingWindowInDays: 7
      KeyPolicy:
        Version: '2012-10-17'
        Id: main-key-policy
        Statement:
          -
            Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: 'kms:*'
            Resource: '*'
          -
            Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: !Sub ${SomeRoleArn}
            Action:
              - kms:DescribeKey
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey
              - kms:GenerateDataKeyWithoutPlaintext
            Resource: '*'
      Tags:
        - Key: Name
          Value: infinity-master-key-3

  CustomerMasterKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/infinity-master-key-3
      TargetKeyId: !Ref CustomerMasterKey

Note that the role referred as "Principal" in the key policy must allow for KMS operations:

  SomeRole:
    Type: AWS::IAM::Role
    Properties:
      ...
      Policies:
        - PolicyName: generic-in-line-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource: '*'
                Effect: Allow
                Action:
                  ...
                  - 'kms:*'