-
Notifications
You must be signed in to change notification settings - Fork 25
5.2
Paul Duvall edited this page Nov 13, 2019
·
19 revisions
Review and ensure that you have setup your development environment before going through the steps below.
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-kms.yml
Copy the contents below into the file and save it.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a KMS Key
Resources:
DynamoDBKey:
Type: AWS::KMS::Key
Properties:
Description: DynamoDB Key
Enabled: true
EnableKeyRotation: true
PendingWindowInDays: 7
KeyPolicy:
Version: 2012-10-17
Id: AllowIAMUserPermissions
Statement:
- Sid: EnableIAMUserPermissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:*
Resource: '*'
- Sid: AllowKeyAdministration
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:TagResource
- kms:UntagResource
Resource: '*'
- Sid: AllowKeyUse
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:user/ceoa
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-DynamoDBKey
DynamoDBAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/${AWS::StackName}
TargetKeyId:
Ref: DynamoDBKey
Outputs:
KeyId:
Value:
Ref: DynamoDBKey
Description: Key ID
Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.
aws cloudformation create-stack --stack-name ceoa-4-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
cd ~/environment/ceoa
touch ceoa-4-s3.yml
Copy the contents below into the file and save it.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an S3 Bucket with KMS Encryption
Resources:
ConfigBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3
SSEAlgorithm: aws:kms
AccessControl: BucketOwnerFullControl
BucketName: !Sub '${AWS::StackName}-s3kms'
Copy the CloudFormation CLI command below to launch the stack that creates an S3 Bucket with KMS encryption.
aws cloudformation create-stack --stack-name ceoa-4-s3 --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-s3.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ebs.yml
Copy the contents below into the file and save it.
AWSTemplateFormatVersion: "2010-09-09"
Description: EBS Volume Encryption
Resources:
EBSVolume:
Type: "AWS::EC2::Volume"
Properties:
Encrypted: true
AvailabilityZone: us-east-1a
Size: 100
Tags:
- Key: Name
Value: ceoa-4-2-encrypted
Copy the CloudFormation CLI command below to launch the stack that creates an EBS Volume with default encryption.
aws cloudformation create-stack --stack-name ceoa-4-ebs --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-ebs.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
- Once the ceoa-4-ebs CloudFormation stack is CREATE_COMPLETE, go to the EC2 Console.
- Click on Volumes.
- Select the checkbox next to ceoa-4-2-encrypted EBS volume the CloudFormation stack launched and verify the Encryption property in the Description tab is in the Encrypted state.
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-4-ddb.yml
Copy the contents below into the file and save it.
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
SSESpecification:
KMSMasterKeyId: alias/aws/dynamodb
SSEEnabled: true
SSEType: KMS
AttributeDefinitions:
-
AttributeName: "Album"
AttributeType: "S"
-
AttributeName: "Artist"
AttributeType: "S"
-
AttributeName: "Sales"
AttributeType: "N"
-
AttributeName: "NumberOfSongs"
AttributeType: "N"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
-
AttributeName: "Artist"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName:
Ref: AWS::StackName
GlobalSecondaryIndexes:
-
IndexName: "myGSI"
KeySchema:
-
AttributeName: "Sales"
KeyType: "HASH"
-
AttributeName: "Artist"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
-
IndexName: "myGSI2"
KeySchema:
-
AttributeName: "NumberOfSongs"
KeyType: "HASH"
-
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "Artist"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
LocalSecondaryIndexes:
-
IndexName: "myLSI"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
-
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Artist"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
Copy the CloudFormation CLI command below to launch the stack that creates DynamoDB table with default encryption.
aws cloudformation create-stack --stack-name ceoa-4-ddb --template-body file:///home/ec2-user/environment/ceoa/ceoa-4-ddb.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
Go to the DynamoDB console and verify KMS encryption is enabled for the table.
- Introduction
- Labs
- The Current State of Encryption
- Setup Development Environment
- Lesson 1: Automating AWS Resources
- Lesson 2: Key Management
- Lesson 3: Developing with Encryption
- Lesson 4: Encryption in Transit
- Lesson 5: Encryption at Rest
- Lesson 6: Detecting Encrypted Resources
- Lesson 7: Logging and Searching KMS Keys
- Lesson 8: Continuous Encryption
- Summary