# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Permission is hereby granted, free of charge, to any person obtaining a copy of this # software and associated documentation files (the "Software"), to deal in the Software # without restriction, including without limitation the rights to use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. AWSTemplateFormatVersion: '2010-09-09' Description: > This Template deloys a KMS customer managed CMK for AWS services. We also configure the KMS Key Policy and grant permissions use the key to our deployment roles. Parameters: Service: Type: String Description: 'Which AWS service is allowed to use this CMK?' Default: ALL_SERVICES KeyName: Type: String Description: 'Name of the KMS Key' UserARN: Type: CommaDelimitedList Description: 'ARN of User Role for this particular Key access. Provide comma delimited values for multiple roles.' Resources: KMSKey: Type: 'AWS::KMS::Key' Metadata: cfn_nag: rules_to_suppress: - id: F19 reason: "Supressing requirement for logging warning for testing purposes" Properties: KeyPolicy: Version: '2012-10-17' Statement: - Sid: Allow cloudtrail use of the key Effect: Allow Principal: Service: "cloudtrail.amazonaws.com" Action: - "kms:Encrypt" - "kms:Decrypt" - "kms:GenerateDataKey*" - "kms:DescribeKey" Resource: '*' - Sid: Allow NLB use of the key Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: - "kms:EnableKeyRotation" - "kms:EnableKey" - "kms:Decrypt" - "kms:ListKeyPolicies" - "kms:PutKeyPolicy" - "kms:GetKeyPolicy" - "kms:DisableKey" - "kms:GenerateDataKeyPair" - "kms:DisableKeyRotation" - "kms:RetireGrant" - "kms:UpdateAlias" - "kms:ListKeys" - "kms:Encrypt" - "kms:GetKeyRotationStatus" - "kms:ScheduleKeyDeletion" - "kms:ListAliases" - "kms:RevokeGrant" - "kms:GenerateDataKey" - "kms:CreateAlias" - "kms:DescribeKey" - "kms:CreateKey" - "kms:DeleteAlias" - "kms:CreateGrant" Resource: '*' - Sid: Allow Management Roles use of the key Effect: Allow Principal: AWS: !Ref UserARN Action: - "kms:*" Resource: '*' KMSKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub 'alias/${KeyName}' TargetKeyId: Ref: KMSKey Outputs: KMSKeyARN: Description: KMS Key ARN Value: !GetAtt KMSKey.Arn Export: Name: Fn::Sub: "${AWS::StackName}-KMS-ARN" KeyId: Description: 'Key id.' Value: !Ref KMSKey Export: Name: !Sub '${AWS::StackName}-KeyId'