-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create KMS managed policy to decouple key id from app #18
Conversation
@@ -92,24 +92,96 @@ Once key is created in your account. It is re-usable across stacks: | |||
*/ | |||
export class SymmetricKey extends kms.Key { | |||
public readonly alias: kms.IAlias | |||
public readonly accessPolicy: iam.IManagedPolicy | |||
|
|||
constructor(scope: cdk.Construct, id: string, props: kms.KeyProps = {}) { | |||
const { alias, ...other } = props | |||
const keyAlias = alias || `alias/${id}` | |||
super(scope, id, symmetricKeyProps({ alias: keyAlias, ...other })) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Define managed policy attribute per policy instance
doc/kms-key.md
Outdated
CMK and IAM policies are a framework to grant access for usage of keys. The default policy enables the root user in the account and allows to attach IAM policies. For each symmetric key, the library creates managed policies to enforce least privilege. Your application can re-use one of the following policy: | ||
* `allow-encrypt-MyKey` | ||
* `allow-decrypt-MyKey` | ||
* `allow-crypto-MyKey` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment purpose of each policy
```typescript | ||
c3.kms.fromAlias(stack, 'alias/MyKey') | ||
``` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarify a role of alias for frequent key rotation
No description provided.