######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: Creates the Macie KMS Key This template creates a KMS key to encrypt Macie findings sent to S3. - 'macie_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: Version: 1.1 Order: 4 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASecretsKeyAliasArn - Label: default: KMS Key Attributes Parameters: - pLogArchiveAccountId - pMacieOrgDeliveryKeyAlias - pManagementAccountId ParameterLabels: pLogArchiveAccountId: default: Log Archive Account ID pMacieOrgDeliveryKeyAlias: default: Macie Delivery KMS Key Alias pManagementAccountId: default: Organization Management Account ID pSRASecretsKeyAliasArn: default: (Optional) SRA Secrets Manager KMS Key Alias ARN pSRASolutionName: default: SRA Solution Name Parameters: pLogArchiveAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: AWS Account ID of the Control Tower Log Archive account. Type: String pMacieOrgDeliveryKeyAlias: AllowedPattern: '^[a-zA-Z0-9/_-]+$' ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Default: sra-macie-org-delivery-key Description: Macie Delivery KMS Key Alias Type: String pManagementAccountId: AllowedPattern: '^\d{12}$' ConstraintDescription: Must be 12 digits Description: Management Account ID Type: String pSRASecretsKeyAliasArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:alias\/[a-zA-Z0-9/_-]+$' ConstraintDescription: 'Key Alias ARN example: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias' Description: (Optional) SRA Secrets Manager KMS Key Alias ARN Type: String pSRASolutionName: AllowedValues: [sra-macie-org] Default: sra-macie-org Description: The SRA solution name. The default value is the folder name of the solution Type: String Conditions: cCreateSecret: !Not [!Equals [!Ref pSRASecretsKeyAliasArn, '']] Resources: rMacieOrgDeliveryKey: Type: AWS::KMS::Key Metadata: cfn_nag: rules_to_suppress: - id: F76 reason: Condition restricts the principal to CloudFormation in the account Properties: Description: Macie Delivery Key EnableKeyRotation: True KeyPolicy: Id: !Sub ${pMacieOrgDeliveryKeyAlias} Version: 2012-10-17 Statement: - Sid: Enable IAM User Permissions Effect: Allow Action: 'kms:*' Resource: '*' Principal: AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root - Sid: Allow Macie to encrypt logs Effect: Allow Action: kms:GenerateDataKey Resource: '*' Principal: Service: macie.amazonaws.com - Sid: Allow alias creation during setup Effect: Allow Action: kms:CreateAlias Condition: StringEquals: kms:CallerAccount: !Sub ${AWS::AccountId} kms:ViaService: !Sub cloudformation.${AWS::Region}.amazonaws.com Resource: '*' Principal: AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root - Sid: Allow Log Archive and Management account access Effect: Allow Action: kms:Decrypt Resource: '*' Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${pLogArchiveAccountId}:root - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root - Sid: Allow account access Effect: Allow Action: - kms:DescribeKey - kms:Decrypt Resource: '*' Principal: AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieOrgDeliveryKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/${pMacieOrgDeliveryKeyAlias} TargetKeyId: !Ref rMacieOrgDeliveryKey rMacieOrgDeliveryKeySecret: Type: AWS::SecretsManager::Secret Condition: cCreateSecret Metadata: checkov: skip: - id: CKV_AWS_149 comment: A cross-account KMS Key is used Properties: Name: sra/macie_org_delivery_key_arn Description: Macie Delivery KMS Key ARN SecretString: !Sub '{"MacieOrgDeliveryKeyArn":"${rMacieOrgDeliveryKey.Arn}"}' KmsKeyId: !Ref pSRASecretsKeyAliasArn Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieOrgDeliveryKeySecretPolicy: Type: AWS::SecretsManager::ResourcePolicy Condition: cCreateSecret Properties: BlockPublicPolicy: True SecretId: !Ref rMacieOrgDeliveryKeySecret ResourcePolicy: Version: 2012-10-17 Statement: - Action: secretsmanager:GetSecretValue # checkov:skip=CKV_SECRET_6 Effect: Allow Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root Resource: '*' Condition: ForAnyValue:StringEquals: secretsmanager:VersionStage: AWSCURRENT Outputs: oMacieDeliveryKeyArn: Description: Macie Delivery KMS Key ARN Value: !GetAtt rMacieOrgDeliveryKey.Arn