Skip to content

5.2

Jump to bottom
Paul Duvall edited this page Jan 29, 2020 · 19 revisions

5.2 Encrypt a DynamoDB database using AWS CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a KMS Key

View the existing KMS keys at the KMS Console.

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-kms.yml

Copy the contents from ceoa-5-kms.yml to your local ceoa-5-kms.yml file in Cloud9 and save it. This CloudFormation template references the IAM user you created in lesson 2 and creates a customer-managed KMS CMK.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a KMS Key
Resources:
  DynamoDBKey:
    Type: AWS::KMS::Key
    Properties:
      Description: DynamoDB Key
      Enabled: true
      EnableKeyRotation: true
      PendingWindowInDays: 7
      KeyPolicy:
        Version: 2012-10-17
        Id: AllowIAMUserPermissions
        Statement:
          - Sid: EnableIAMUserPermissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:*
            Resource: '*'
          - Sid: AllowKeyAdministration
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:TagResource
              - kms:UntagResource
            Resource: '*'
          - Sid: AllowKeyUse
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: '*'
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-DynamoDBKey
  DynamoDBAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/${AWS::StackName}
      TargetKeyId:
        Ref: DynamoDBKey
Outputs:
  KeyId:
    Value:
      Ref: DynamoDBKey
    Description: Key ID

Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.

aws cloudformation create-stack --stack-name ceoa-52-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Verify the KMS key was created by going to the KMS Console.

Create an S3 Bucket with KMS Encryption

cd ~/environment/ceoa
touch ceoa-5-s3.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an S3 Bucket with KMS Encryption
Resources:
  ConfigBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              KMSMasterKeyID: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3
              SSEAlgorithm: aws:kms
      AccessControl: BucketOwnerFullControl
      BucketName: !Sub 'ceoa-${AWS::StackId}'

Copy the CloudFormation CLI command below to launch the stack that creates an S3 Bucket with KMS encryption.

aws cloudformation create-stack --stack-name ceoa-5-s3 --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-s3.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Verify the S3 Bucket was enabled with KMS encryption by going to the S3 Console.

Create an EBS Volume

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-ebs.yml

To get a list of AWS Availability Zones, type the following command:

aws ec2 describe-availability-zones

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: EBS Volume
Parameters:
  AvailabilityZones:
    Description: Availability zone to deploy
    Type: String
Resources:
  EBSVolume:    
    Type: "AWS::EC2::Volume"
    Properties:
      Encrypted: true
      AvailabilityZone: !Ref AvailabilityZones
      Size: 100
      Tags:
        - Key: Name
          Value: ceoa-5-2-encrypted

Copy the CloudFormation CLI command below to launch the stack that creates an EBS Volume with default encryption.

aws cloudformation create-stack --stack-name ceoa-5-ebs --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-ebs.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
  1. Once the ceoa-5-ebs CloudFormation stack is CREATE_COMPLETE, go to the EC2 Console.
  2. Click on Volumes.
  3. Select the checkbox next to ceoa-5-2-encrypted EBS volume the CloudFormation stack launched and verify the Encryption property in the Description tab is in the Encrypted state.

Create a DynamoDB Table

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-ddb.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      SSESpecification:
        KMSMasterKeyId: alias/aws/dynamodb
        SSEEnabled: true
        SSEType: KMS
      AttributeDefinitions:
      - AttributeName: Album
        AttributeType: S
      - AttributeName: Artist
        AttributeType: S
      - AttributeName: Sales
        AttributeType: N
      - AttributeName: NumberOfSongs
        AttributeType: N
      KeySchema:
      - AttributeName: Album
        KeyType: HASH
      - AttributeName: Artist
        KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5
      TableName:
        Ref: AWS::StackName
      GlobalSecondaryIndexes:
      - IndexName: myGSI
        KeySchema:
        - AttributeName: Sales
          KeyType: HASH
        - AttributeName: Artist
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Album
          - NumberOfSongs
          ProjectionType: INCLUDE
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5
      - IndexName: myGSI2
        KeySchema:
        - AttributeName: NumberOfSongs
          KeyType: HASH
        - AttributeName: Sales
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Album
          - Artist
          ProjectionType: INCLUDE
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5
      LocalSecondaryIndexes:
      - IndexName: myLSI
        KeySchema:
        - AttributeName: Album
          KeyType: HASH
        - AttributeName: Sales
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Artist
          - NumberOfSongs
          ProjectionType: INCLUDE

Copy the CloudFormation CLI command below to launch the stack that creates DynamoDB table with default encryption.

aws cloudformation create-stack --stack-name ceoa-5-ddb --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-ddb.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Go to the DynamoDB console and verify KMS encryption is enabled for the table.

Clone this wiki locally