Skip to content

2.2

Jump to bottom
Paul Duvall edited this page Nov 21, 2019 · 26 revisions

2.2 Create a Customer-Managed CMK using AWS CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a KMS Key

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-2-kms.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a KMS Key
Resources:
  S3Key:
    Type: AWS::KMS::Key
    Properties:
      Description: DynamoDB Key
      Enabled: true
      EnableKeyRotation: true
      PendingWindowInDays: 7
      KeyPolicy:
        Version: 2012-10-17
        Id: AllowIAMUserPermissions
        Statement:
          - Sid: EnableIAMUserPermissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:*
            Resource: '*'
          - Sid: AllowKeyAdministration
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:TagResource
              - kms:UntagResource
            Resource: '*'
          - Sid: AllowKeyUse
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: '*'
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-S3Key
  DynamoDBAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/${AWS::StackName}
      TargetKeyId:
        Ref: S3Key
Outputs:
  KeyId:
    Value:
      Ref: S3Key
    Description: Key ID

Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.

aws cloudformation create-stack --stack-name ceoa-2-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-2-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Enable Encryption for an S3 Bucket

  1. Go to the S3 Console.
  2. Click the Create bucket button.
  3. Enter ceoa-2-s3-ACCOUNTID in the Bucket name field. Replace ACCOUNTID with the results of the following command: aws sts get-caller-identity --output text --query 'Account'. Click the Next button.
  4. On the Configure options page, click the Automatically encrypt objects when they are stored in S3 checkbox in the Default encryption section. Then, choose the AWS-KMS radio button.
  5. Enter the key name (i.e. ceoa-2-kms) that you created in this exercise to the S3 bucket. Then click the Next button.
  6. Leave the defaults on the Set permissions page and click the Next button.
  7. Click the Create bucket button.

Clone this wiki locally