AWSTemplateFormatVersion: "2010-09-09" Description: Development dependencies for AWS::Logs::LogGroup Resources: Cmk: Type: AWS::KMS::Key Properties: Description: KMS CMK for use with the AWS::Logs::LogGroup resource provider KeyUsage: ENCRYPT_DECRYPT KeyPolicy: Version: 2012-10-17 Id: cmk-policy Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: kms:* Resource: "*" - Sid: CloudWatch Logs Permissions Effect: Allow Principal: Service: !Sub "logs.${AWS::Region}.${AWS::URLSuffix}" Action: - "kms:Encrypt*" - "kms:Decrypt*" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:Describe*" Resource: "*" # Alias is only added to show the StackName in the KMS Console CmkAlias: Type: "AWS::KMS::Alias" Properties: AliasName: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/${AWS::StackName}" TargetKeyId: !Ref Cmk Outputs: OverridesJson: Description: Use this as overrides.json Value: !Sub "{\"CREATE\": {\"/KmsKeyId\": \"${Cmk.Arn}\"}}"