AWSTemplateFormatVersion: '2010-09-09' Description: 'A KMS customer managed CMK' Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: 'KMS Parameters' Parameters: - Service Parameters: Service: Description: 'Which AWS service is allowed to use this CMK?' Type: String AllowedValues: - 'ALL_SERVICES' - 'S3_PUBLIC_ACCESS' - connect - dms - ssm - ec2 - elasticfilesystem - es - kinesis - kinesisvideo - lambda - lex - redshift - rds - secretsmanager - ses - sagemaker - s3 - importexport - sqs - workmail - workspaces Default: ALL_SERVICES AdminRole: Type: String Default: IibsAdminAccess-DO-NOT-DELETE Conditions: HasServiceAllServices: !Equals [!Ref Service, 'ALL_SERVICES'] HasServiceS3PublicAccess: !Equals [!Ref Service, 'S3_PUBLIC_ACCESS'] Resources: Key: DeletionPolicy: Retain Type: 'AWS::KMS::Key' Properties: KeyPolicy: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - !ImportValue 'Developer-ARN' - !Ref 'AdminRole' Action: 'kms:*' Resource: '*' - Effect: Allow Principal: AWS: '*' Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt*' - 'kms:GenerateDataKey*' - 'kms:CreateGrant' - 'kms:ListGrants' - 'kms:DescribeKey' Resource: '*' Condition: StringEquals: !If - HasServiceAllServices - 'kms:CallerAccount': !Ref 'AWS::AccountId' - 'kms:CallerAccount': !Ref 'AWS::AccountId' 'kms:ViaService': !Sub '${Service}.${AWS::Region}.amazonaws.com' - !If - HasServiceS3PublicAccess - Effect: Allow Principal: AWS: '*' Action: - 'kms:Decrypt' Resource: '*' Condition: StringEquals: 'kms:ViaService': !Sub 's3.${AWS::Region}.amazonaws.com' - !Ref 'AWS::NoValue' KeyAlias: DeletionPolicy: Retain Type: 'AWS::KMS::Alias' Properties: AliasName: !Sub 'alias/${AWS::StackName}' TargetKeyId: !Ref Key Outputs: KeyId: Description: 'Key id.' Value: !Ref Key Export: Name: !Sub 'CMK-KeyId' KeyArn: Description: 'Key ARN.' Value: !GetAtt 'Key.Arn' Export: Name: !Sub 'CMK-KeyArn'