AWSTemplateFormatVersion: "2010-09-09"
Description: Creates the Customer Managed AWS KMS Key for the IAM Credential Report Blog Post

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: KMS Key Attributes
        Parameters:
          - pIAMCredentialReportKeyAlias
          - pManagementAccountId
          - pLoggingAccountId
          - pTagKey1
          - pTagValue1

    ParameterLabels:
      pIAMCredentialReportKeyAlias:
        default: IAM Credential Report Delivery KMS Key Alias
      pManagementAccountId:
        default: Organization Management Account ID
      pLoggingAccountId:
        default: Log Archive Account ID
      pTagKey1:
        default: Tag Key
      pTagValue1:
        default: Tag Value

Parameters:
  pIAMCredentialReportKeyAlias:
    Type: String
    Description: IAM Credential Report Delivery KMS Key Alias
    Default: IAMCredsReportDeliveryKMSKey

  pManagementAccountId:
    Type: String
    Description: Organization management account ID

  pLoggingAccountId:
    Type: String
    Description: Organization log archive account ID

  pTagKey1:
    Type: String
    Description: Tag key
    Default: managed-by

  pTagValue1:
    Type: String
    Description: Tag key value
    Default: credential-cfn

Resources:
  rIAMCredentialReportKey:
    Type: AWS::KMS::Key
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F76
            reason: The principal is restricted by the condition statement
    Properties:
      Description: "IAM Credential Report Delivery Key"
      EnableKeyRotation: True
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Sub ${pIAMCredentialReportKeyAlias}
        Statement:
          - Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"
          - Sid: "Allow alias creation during setup"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action: "kms:CreateAlias"
            Resource: "*"
            Condition:
              StringEquals:
                "kms:CallerAccount": !Sub ${AWS::AccountId}
                "kms:ViaService": "cloudformation.us-east-1.amazonaws.com"
          - Sid: "Allow log archive account access"
            Effect: "Allow"
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${pLoggingAccountId}:root"
                - !Sub "arn:aws:iam::${pManagementAccountId}:root"
            Action:
              - "kms:DescribeKey"
              - "kms:Encrypt"
              - "kms:Decrypt"
              - "kms:ReEncrypt*"
              - "kms:GenerateDataKey"
              - "kms:GenerateDataKeyWithoutPlaintext"
            Resource: "*"
      Tags:
        - Key: !Ref pTagKey1
          Value: !Ref pTagValue1

  rIAMCredentialReportKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/${pIAMCredentialReportKeyAlias}
      TargetKeyId: !Ref rIAMCredentialReportKey

Outputs:
  oIAMCredentialReportKeyArn:
    Description: IAM Credential Report Delivery KMS Key ARN
    Value: !GetAtt rIAMCredentialReportKey.Arn