Skip to content

2.2

Jump to bottom
Paul Duvall edited this page Nov 13, 2019 · 26 revisions

2.2 Create a Customer-Managed CMK using AWS CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a KMS Key

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-2-kms.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a KMS Key
Resources:
  DynamoDBKey:
    Type: AWS::KMS::Key
    Properties:
      Description: DynamoDB Key
      Enabled: true
      EnableKeyRotation: true
      PendingWindowInDays: 7
      KeyPolicy:
        Version: 2012-10-17
        Id: AllowIAMUserPermissions
        Statement:
          - Sid: EnableIAMUserPermissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:*
            Resource: '*'
          - Sid: AllowKeyAdministration
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:TagResource
              - kms:UntagResource
            Resource: '*'
          - Sid: AllowKeyUse
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: '*'
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-DynamoDBKey
  DynamoDBAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/${AWS::StackName}
      TargetKeyId:
        Ref: DynamoDBKey
Outputs:
  KeyId:
    Value:
      Ref: DynamoDBKey
    Description: Key ID

Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.

aws cloudformation create-stack --stack-name ceoa-2-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-2-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Clone this wiki locally