AWSTemplateFormatVersion: 2010-09-09 Description: KMS and S3 for the secondary/backup region Metadata: {} Parameters: pReplicaDestRegionKmsStackName: Type: String Default: replication-region-kms pFrameworkPrefix: Type: String #AWS::SSM::Parameter::Value #Default: '/account/framework-prefix' Description: Framework prefix from SSM pOrganizationName: Type: String #::SSM::Parameter::Value #Default: '/account/organization-name' Description: Organization name from SSM pEnvironment: Type: String #AWS::SSM::Parameter::Value #Default: '/account/environment' Description: Environment from SSM pLogsRetentionInDays: Type: String pReplicaDestRegion: Type: String ########################################################## # Resources ########################################################## Resources: ############################# # Key Alias rReplicaRegionKMSAlias: Type: 'AWS::KMS::Alias' DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: AliasName: !Sub alias/${pEnvironment}/${AWS::Region}/${pOrganizationName}-kms-key1 TargetKeyId: !Ref rReplicaRegionKMSKey ######## KMS ######### rReplicaRegionKMSKey: Type: AWS::KMS::Key Metadata: cfn_nag: rules_to_suppress: - id: F76 reason: Full access is allowed to Key admin and some AWS services DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: Description: Foundations KMS Key EnableKeyRotation: True KeyPolicy: Version: 2012-10-17 Id: "key-default-policy" Statement: - Sid: Allow administration of the key Effect: Allow Principal: AWS: [!Sub "arn:aws:iam::${AWS::AccountId}:root"] Action: kms:* Resource: "*" - Sid: Allow CloudTrail/CloudWatch alarms access Effect: Allow Principal: Service: - cloudtrail.amazonaws.com - cloudwatch.amazonaws.com Action: - kms:Decrypt - kms:GenerateDataKey* Resource: "*" - Sid: Allow logs access Effect: Allow Principal: Service: !Sub logs.${AWS::Region}.amazonaws.com Action: - kms:CreateGrant - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Resource: "*" - Sid: Allow SNS access Effect: Allow Principal: AWS: "*" Action: - kms:Decrypt - kms:GenerateDataKey* Resource: "*" Condition: StringEquals: kms:CallerAccount: !Ref AWS::AccountId kms:ViaService: !Sub sns.${AWS::Region}.amazonaws.com - Sid: Allow S3 Events access Effect: Allow Principal: Service: s3.amazonaws.com Action: - kms:Decrypt - kms:GenerateDataKey Resource: "*" - Sid: Allow DynamoDB access Effect: Allow Principal: AWS: "*" Action: - kms:CreateGrant - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Resource: "*" Condition: StringEquals: kms:CallerAccount: !Ref AWS::AccountId kms:ViaService: !Sub dynamodb.${AWS::Region}.amazonaws.com - Sid: Allow ElasticSearch access Effect: Allow Principal: AWS: "*" Action: - kms:CreateGrant - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Resource: "*" Condition: StringEquals: kms:CallerAccount: !Ref AWS::AccountId kms:ViaService: !Sub es.${AWS::Region}.amazonaws.com Bool: kms:GrantIsForAWSResource: true - Sid: Allow CloudWatch Events access Effect: Allow Principal: Service: events.amazonaws.com Action: - kms:Decrypt - kms:GenerateDataKey Resource: "*" ######## SSM ######### rKMSKeySsm: Type: AWS::SSM::Parameter Properties: Name: !Sub '/${pFrameworkPrefix}/foundation/kms/key-arn' Type: String Value: !GetAtt rReplicaRegionKMSKey.Arn Description: Arn of the KMS key rKMSKeyIdSsm: Type: AWS::SSM::Parameter Properties: Name: !Sub '/${pFrameworkPrefix}/foundation/kms/key-id' Type: String Value: !GetAtt rReplicaRegionKMSKey.KeyId Description: Arn of the KMS key ########################################################## # Outputs ########################################################## Outputs: oReplicaRegionKMSKeyArn: Value: !GetAtt - rReplicaRegionKMSKey - Arn Export: Name: !Sub "${AWS::StackName}-KeyArn" oReplicaRegionKMSKeyId: Value: !GetAtt - rReplicaRegionKMSKey - KeyId Export: Name: !Sub "${AWS::StackName}-KeyId"