AWSTemplateFormatVersion: '2010-09-09' Description: Create CMK for artifacts encryption in codepipeline Parameters: CodeCommitAccount: Description: AWS AccountNumber for codecommit repository Type: Number TestAccount1: Description: AWS AccountNumber for test account 1 Type: Number TestAccount2: Description: AWS AccountNumber for test account 2 Type: Number TestAccount3: Description: AWS AccountNumber for test account 3 Type: Number ToolsAccount: Description: AWS AccountNumber for tools account Type: Number Environment: Description: Name of the Project Type: String Default: sample-ecs CodeBuildCondition: Description: Conditionally adds the access required by code build project role Type: String Default: false Conditions: AddCodeBuildResource: !Equals [ !Ref CodeBuildCondition, true ] Resources: KMSKey: Type: AWS::KMS::Key Properties: Description: Used by Assumed Roles in Test accounts to Encrypt/Decrypt code EnableKeyRotation: true #MultiRegion: true KeyPolicy: Version: "2012-10-17" Id: !Ref AWS::StackName Statement: - Sid: Allows admin of the key Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: Allow use of the key for CryptoGraphy Lambda Effect: Allow Principal: AWS: - !Sub arn:aws:iam::${TestAccount1}:root - !Sub arn:aws:iam::${TestAccount2}:root - !Sub arn:aws:iam::${TestAccount3}:root - !Sub arn:aws:iam::${CodeCommitAccount}:root - !If - AddCodeBuildResource - !Sub arn:aws:iam::${ToolsAccount}:role/${Environment}-CodeBuildRole - !Ref AWS::NoValue - !If - AddCodeBuildResource - !Sub arn:aws:iam::${ToolsAccount}:role/${Environment}-codepipeline-role - !Ref AWS::NoValue Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: "*" KMSAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/ecs-codepipeline-crossaccounts TargetKeyId: !Ref KMSKey Outputs: CMK: Value: !GetAtt [KMSKey,Arn]