######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a KMS key for SRA secrets used to share CloudFormation outputs to the Management account. - 'common_prerequisites' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.1 Order: 6 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: KMS Parameters Parameters: - pManagementAccountId - pOrganizationId - pSRASecretsKeyAlias - pSRASecretsPrefix ParameterLabels: pManagementAccountId: default: Management Account ID pOrganizationId: default: Organization ID pSRASecretsKeyAlias: default: SRA Secrets KMS Key Alias pSRASecretsPrefix: default: SRA Secrets Prefix Parameters: pManagementAccountId: AllowedPattern: '^\d{12}$' ConstraintDescription: Must be 12 digits Description: Organization Management Account ID Type: String pOrganizationId: AllowedPattern: '^o-[a-z0-9]{10,32}$' ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567) Description: AWS Organizations ID Type: String pSRASecretsKeyAlias: AllowedValues: [sra-secrets-key] Default: sra-secrets-key Description: The SRA secrets KMS key alias. Type: String pSRASecretsPrefix: AllowedValues: [sra] Default: sra Description: Prefix used for SRA secrets Type: String Resources: rSRASecretsKey: Type: AWS::KMS::Key Metadata: cfn_nag: rules_to_suppress: - id: F76 reason: Principal access is restricted by the condition statement. checkov: skip: - id: CKV_AWS_33 comment: Principal access is restricted by the condition statement. Properties: Description: SRA Secrets Key EnableKeyRotation: True KeyPolicy: Version: 2012-10-17 Id: !Sub ${pSRASecretsKeyAlias} Statement: - Sid: Enable IAM User Permissions Effect: Allow Action: 'kms:*' Resource: '*' Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root - Sid: Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager Effect: Allow Action: - kms:Decrypt - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* - kms:CreateGrant - kms:DescribeKey Condition: StringEquals: kms:ViaService: !Sub secretsmanager.${AWS::Region}.amazonaws.com aws:PrincipalOrgId: !Ref pOrganizationId StringLike: kms:EncryptionContext:SecretARN: !Sub arn:aws:secretsmanager:${AWS::Region}:*:secret:${pSRASecretsPrefix}/* aws:PrincipalArn: - !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution Resource: '*' Principal: AWS: '*' - Sid: Allow direct access to key metadata Effect: Allow Action: - kms:Decrypt - kms:Describe* - kms:Get* - kms:List* Resource: '*' Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root - Sid: Allow alias creation during setup Effect: Allow Action: kms:CreateAlias Condition: StringEquals: kms:CallerAccount: !Sub ${AWS::AccountId} kms:ViaService: !Sub cloudformation.${AWS::Region}.amazonaws.com Resource: '*' Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root rSRASecretsKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/${pSRASecretsKeyAlias} TargetKeyId: !Ref rSRASecretsKey Outputs: oSRASecretsKeyArn: Description: SRA Secrets KMS Key ARN Value: !GetAtt rSRASecretsKey.Arn