Skip to content

Commit

Permalink
fix: default encryption key iam policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@mvayngrib
mvayngrib committed May 23, 2018
1 parent 9f6d143 commit 1a19120
Showing 1 changed file with 70 additions and 16 deletions.
86 changes: 70 additions & 16 deletions serverless-uncompiled.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ custom:

# prefixes
prefix: ${{self:service}}-${{self:custom.stage}}-
regionalPrefix: ${{self:service}}-${{self:custom.stage}}-${{self:custom.region}}-
prefixRole: ${{self:custom.prefix}}
# maybe during info/auth, the server can send back the prefix
# prefixIOTTopic: ${{self:service}}-
Expand Down Expand Up @@ -279,7 +280,7 @@ custom:
logRetentionInDays: 7

issue2233WorkaroundKey: issue2233WorkaroundKey-${{self:service}}-${{self:provider.stage}}
defaultKMSKeyId: ${{self:custom.prefix}}default-key
defaultKMSKeyId: ${{self:custom.regionalPrefix}}default-key

# secrets: ${{file(secrets.${opt:stage, self:provider.stage}}.yml)}
# dynamodb:
Expand Down Expand Up @@ -524,12 +525,12 @@ provider:
- ses:GetIdentityVerificationAttributes
Resource: "*"

- Effect: Allow
Action:
- 'ssm:GetParameter*'
- 'ssm:PutParameter*'
Resource:
- 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/tradle/${{self:custom.prefix}}*'
# - Effect: Allow
# Action:
# - 'ssm:GetParameter*'
# - 'ssm:PutParameter*'
# Resource:
# - 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/tradle/${{self:custom.prefix}}*'

functions:
# warm up other functions
Expand Down Expand Up @@ -1022,6 +1023,7 @@ resources:
service: ${{self:service}}
stage: ${{self:custom.stage}}
stackName: ${{self:custom.stackName}}
# encryptionKey:
# which MyCloud generated the template
referrerUrl: ''
deploymentUUID: ''
Expand Down Expand Up @@ -1331,31 +1333,83 @@ resources:
Fn::FindInMap: ["deployment", "init", "deploymentUUID"]
referrerUrl:
Fn::FindInMap: ["deployment", "init", "referrerUrl"]
# encryptionKey:
# Fn::FindInMap: ["deployment", "init", "encryptionKey"]

# <<: *providerConf

DefaultEncryptionKey:
Type: AWS::KMS::Key
Properties:
Description: 'Encryption key for secrets in SSM'
# Enabled: True
# EnableKeyRotation: False
Enabled: True
EnableKeyRotation: False
Tags:
- Key: tradle
Value: ${{self:custom.stackName}}-${{self:provider.region}}

KeyPolicy:
Version: '2012-10-17'
Id: ${{self:custom.defaultKMSKeyId}}-policy
Statement:
- Sid: 'allowUseKMSKey'
- Sid: 'Allow access for Key Administrators'
Effect: Allow
Principal:
AWS:
- Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:root'
Action:
- 'kms:Create*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:TagResource'
- 'kms:UntagResource'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'

- Sid: 'Allow attachment of persistent resources'
Effect: Allow
Principal:
AWS:
- Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:root'
Action:
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:RevokeGrant'

# Condition:
# ForAllValues:StringEquals:
# kms:GrantOperations:
# - 'Decrypt'

# https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource
Condition:
Bool:
"kms:GrantIsForAWSResource": true

Resource: '*'
- Sid: 'Allow use of the key'
Effect: Allow
Principal:
AWS:
# circular dep?
- Fn::GetAtt:
- IamRoleLambdaExecution
- Arn
Resource: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
- 'kms:GenerateDataKey'
Resource: '*'

# DefaultEncryptionKeyAlias:
# Type: AWS::KMS::Alias
# Properties:
# AliasName: alias/${{self:custom.defaultKMSKeyId}}
# TargetKeyId:
# Ref: DefaultEncryptionKey

0 comments on commit 1a19120

Please sign in to comment.