AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS Lambda Layer for tokenization of sensitive data (uksb-1s7fb4gd2)

Resources:
  CMKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: 'Customer managed key to be used for dynamo items encryption'
      Enabled: Yes
      EnableKeyRotation: Yes
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default-1
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Join 
                - ''
                - - 'arn:aws:iam::'
                  - !Ref 'AWS::AccountId'
                  - ':root'
            Action: 'kms:*'
            Resource: '*'
  KeyAlias:
    Type: 'AWS::KMS::Alias'
    Properties:
      AliasName: !Sub 'alias/${AWS::StackName}'
      TargetKeyId: !Ref CMKey
Outputs:
  KMSKeyID:
    Description: ARN for CMS Key created
    Value: !GetAtt CMKey.Arn