Skip to content

4.2

Jump to bottom
Paul Duvall edited this page Nov 12, 2019 · 46 revisions

4.2 Encryption at Rest with DynamoDB

Review and ensure that you have setup your development environment before going through the steps below.

Create a KMS Key

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-kms.yml

Copy the contents below into the file and save it.

myKey:
  Type: AWS::KMS::Key
  Properties:
    Description: "An example CMK"
    KeyPolicy:
      Version: "2012-10-17"
      Id: "key-default-1"
      Statement:
       -
          Sid: "Enable IAM User Permissions"
          Effect: "Allow"
          Principal:
            - AWS: "arn:aws:iam::111122223333:root"
          Action: "kms:*"
          Resource: "*"
       - 
          Sid: "Allow administration of the key"
          Effect: "Allow"
          Principal:
            - AWS: "arn:aws:iam::123456789012:user/Alice"
          Action: 
            - "kms:Create*"
            - "kms:Describe*"
            - "kms:Enable*"
            - "kms:List*"
            - "kms:Put*"
            - "kms:Update*"
            - "kms:Revoke*"
            - "kms:Disable*"
            - "kms:Get*"
            - "kms:Delete*"
            - "kms:ScheduleKeyDeletion"
            - "kms:CancelKeyDeletion"
          Resource: "*"
        - 
          Sid: "Allow use of the key"
          Effect: "Allow"
          Principal:
            - AWS: "arn:aws:iam::123456789012:user/Bob"
          Action:
            - "kms:DescribeKey"
            - "kms:Encrypt"
            - "kms:Decrypt"
            - "kms:ReEncrypt*"
            - "kms:GenerateDataKey"
            - "kms:GenerateDataKeyWithoutPlaintext"
          Resource: "*"

Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.

aws cloudformation create-stack --stack-name ceoa-4-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Create an S3 Bucket with KMS Encryption

cd ~/environment/ceoa
touch ceoa-4-s3.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an S3 Bucket with KMS Encryption
Resources:
  ConfigBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      AccessControl: BucketOwnerFullControl
      BucketName: !Sub '${AWS::StackName}-s3kms'

Copy the CloudFormation CLI command below to launch the stack that creates an S3 Bucket with KMS encryption.

aws cloudformation create-stack --stack-name ceoa-4-s3 --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-s3.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Create an EBS Volume

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ebs.yml

Copy the contents below into the file and save it.

AWSTemplateFormatVersion: "2010-09-09"

Description: cfn_nag demo template

Resources:
  EBSVolume:    
    Type: "AWS::EC2::Volume"
    Properties:
      Encrypted: true
      AvailabilityZone: us-east-1a
      Size: 100

Copy the CloudFormation CLI command below to launch the stack that creates an EBS Volume with default encryption.

aws cloudformation create-stack --stack-name ceoa-4-ebs --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-ebs.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Create a DynamoDB Table

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ddb.yml

Copy the contents below into the file and save it.

AWSTemplateFormatVersion: "2010-09-09"
Resources: 
  myDynamoDBTable: 
    Type: AWS::DynamoDB::Table
    Properties: 
      SSESpecification:
        SSEEnabled: true
      AttributeDefinitions: 
        - 
          AttributeName: "Album"
          AttributeType: "S"
        - 
          AttributeName: "Artist"
          AttributeType: "S"
        - 
          AttributeName: "Sales"
          AttributeType: "N"
        - 
          AttributeName: "NumberOfSongs"
          AttributeType: "N"
      KeySchema: 
        - 
          AttributeName: "Album"
          KeyType: "HASH"
        - 
          AttributeName: "Artist"
          KeyType: "RANGE"
      ProvisionedThroughput: 
        ReadCapacityUnits: "5"
        WriteCapacityUnits: "5"
      TableName:
        Ref: AWS::StackName
      GlobalSecondaryIndexes: 
        - 
          IndexName: "myGSI"
          KeySchema: 
            - 
              AttributeName: "Sales"
              KeyType: "HASH"
            - 
              AttributeName: "Artist"
              KeyType: "RANGE"
          Projection: 
            NonKeyAttributes: 
              - "Album"
              - "NumberOfSongs"
            ProjectionType: "INCLUDE"
          ProvisionedThroughput: 
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
        - 
          IndexName: "myGSI2"
          KeySchema: 
            - 
              AttributeName: "NumberOfSongs"
              KeyType: "HASH"
            - 
              AttributeName: "Sales"
              KeyType: "RANGE"
          Projection: 
            NonKeyAttributes: 
              - "Album"
              - "Artist"
            ProjectionType: "INCLUDE"
          ProvisionedThroughput: 
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
      LocalSecondaryIndexes: 
        - 
          IndexName: "myLSI"
          KeySchema: 
            - 
              AttributeName: "Album"
              KeyType: "HASH"
            - 
              AttributeName: "Sales"
              KeyType: "RANGE"
          Projection: 
            NonKeyAttributes: 
              - "Artist"
              - "NumberOfSongs"
            ProjectionType: "INCLUDE"

Clone this wiki locally