{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Ec2CopySnapshotTestResourceStack", "Outputs": { "VolumeIdEncryptedUnencrypted": { "Description": "Volume Id on unencrypted volume", "Value": { "Ref": "Volume0" } }, "VolumeIdEncryptedDefault": { "Description": "Volume Id of encrypted volume using default key", "Value": { "Ref": "Volume1" } }, "VolumeIdEncryptedCustom": { "Description": "Volume Id of encrypted volume using custom key", "Value": { "Ref": "Volume2" } }, "EncryptionKeyArn": { "Description": "Arn of custom key used for encrypting EBS snapshots", "Value": { "Fn::GetAtt": [ "EncryptionKey0", "Arn" ] } } }, "Parameters": { "TaskRole": { "Description": "Role executing the action that needs permission to KMS key", "Type": "String" } }, "Resources": { "Volume0": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W37", "reason": "Unit test template. Not part of the solution" }, { "id": "F1", "reason": "Unit test template. Not part of the solution" } ] } }, "Type": "AWS::EC2::Volume", "Properties": { "Size": 10, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "Tags": [ { "Key": "Name", "Value": "Ec2CopySnapshotTestDataVolume0" }, { "Key": "VolumeTag", "Value": "Volume0" } ] } }, "Volume1": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id" : "W37", "reason": "Unit test template. Not part of the solution" } ] } }, "Type": "AWS::EC2::Volume", "Properties": { "Size": 4, "Encrypted": "True", "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "Tags": [ { "Key": "Name", "Value": "Ec2CopySnapshotTestDataVolume1" }, { "Key": "VolumeTag", "Value": "Volume1" } ] } }, "Volume2": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F19", "reason": "Unit test template. Not part of the solution" } ] } }, "Type": "AWS::EC2::Volume", "Properties": { "Size": 4, "Encrypted": "True", "KmsKeyId": { "Fn::GetAtt": [ "EncryptionKey0", "Arn" ] }, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "Tags": [ { "Key": "Name", "Value": "Ec2CopySnapshotTestDataVolume1" }, { "Key": "VolumeTag", "Value": "Volume2" } ] } }, "EncryptionKey0": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id" : "F19", "reason": "Unit test template. Not part of the solution" } ] } }, "Type": "AWS::KMS::Key", "Properties": { "Enabled": "True", "EnableKeyRotation": "False", "Description": "Ec2CopySnapshotTestResourceStack EBS custom encryption key ", "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } }, "Action": [ "kms:Create*", "kms:Decrypt", "kms:Describe*", "kms:Enable*", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${TaskRole}" } }, "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:Get*", "kms:Describe*", "kms:List*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } } } } }