-
Notifications
You must be signed in to change notification settings - Fork 25
4.2
Paul Duvall edited this page Nov 12, 2019
·
46 revisions
Review and ensure that you have setup your development environment before going through the steps below.
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-kms.yml
Copy the contents below into the file and save it.
myKey:
Type: AWS::KMS::Key
Properties:
Description: "Customer Master Key"
EnableKeyRotation: true
PendingWindowInDays: 7
KeyPolicy:
Version: "2012-10-17"
Id: "key-default-1"
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
- AWS: "arn:aws:iam::111122223333:root"
Action: "kms:*"
Resource: "*"
-
Sid: "Allow administration of the key"
Effect: "Allow"
Principal:
- AWS: "arn:aws:iam::123456789012:user/Alice"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
-
Sid: "Allow use of the key"
Effect: "Allow"
Principal:
- AWS: "arn:aws:iam::123456789012:user/Bob"
Action:
- "kms:DescribeKey"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
Resource: "*"
Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.
aws cloudformation create-stack --stack-name ceoa-4-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
cd ~/environment/ceoa
touch ceoa-4-s3.yml
Copy the contents below into the file and save it.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an S3 Bucket with KMS Encryption
Resources:
ConfigBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3
SSEAlgorithm: aws:kms
AccessControl: BucketOwnerFullControl
BucketName: !Sub '${AWS::StackName}-s3kms'
Copy the CloudFormation CLI command below to launch the stack that creates an S3 Bucket with KMS encryption.
aws cloudformation create-stack --stack-name ceoa-4-s3 --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-s3.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ebs.yml
Copy the contents below into the file and save it.
AWSTemplateFormatVersion: "2010-09-09"
Description: cfn_nag demo template
Resources:
EBSVolume:
Type: "AWS::EC2::Volume"
Properties:
Encrypted: true
AvailabilityZone: us-east-1a
Size: 100
Copy the CloudFormation CLI command below to launch the stack that creates an EBS Volume with default encryption.
aws cloudformation create-stack --stack-name ceoa-4-ebs --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-ebs.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ddb.yml
Copy the contents below into the file and save it.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
SSESpecification:
SSEEnabled: true
AttributeDefinitions:
-
AttributeName: "Album"
AttributeType: "S"
-
AttributeName: "Artist"
AttributeType: "S"
-
AttributeName: "Sales"
AttributeType: "N"
-
AttributeName: "NumberOfSongs"
AttributeType: "N"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
-
AttributeName: "Artist"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName:
Ref: AWS::StackName
GlobalSecondaryIndexes:
-
IndexName: "myGSI"
KeySchema:
-
AttributeName: "Sales"
KeyType: "HASH"
-
AttributeName: "Artist"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
-
IndexName: "myGSI2"
KeySchema:
-
AttributeName: "NumberOfSongs"
KeyType: "HASH"
-
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "Artist"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
LocalSecondaryIndexes:
-
IndexName: "myLSI"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
-
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Artist"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
Copy the CloudFormation CLI command below to launch the stack that creates DynamoDB table with default encryption.
aws cloudformation create-stack --stack-name ceoa-4-ddb --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-ddb.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
- Introduction
- Labs
- The Current State of Encryption
- Setup Development Environment
- Lesson 1: Automating AWS Resources
- Lesson 2: Key Management
- Lesson 3: Developing with Encryption
- Lesson 4: Encryption in Transit
- Lesson 5: Encryption at Rest
- Lesson 6: Detecting Encrypted Resources
- Lesson 7: Logging and Searching KMS Keys
- Lesson 8: Continuous Encryption
- Summary