Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
153 lines (152 sloc) 4.14 KB
---
# Copyright 2018 widdix GmbH
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: KMS customer managed CMK for AWS services, a cloudonaut.io template'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'Parent Stacks'
Parameters:
- ParentAlertStack
- Label:
default: 'KMS Parameters'
Parameters:
- Service
Parameters:
ParentAlertStack:
Description: 'Optional but recommended stack name of parent alert stack based on operations/alert.yaml template.'
Type: String
Default: ''
Service:
Description: 'Which AWS service is allowed to use this CMK?'
Type: String
AllowedValues:
- 'ALL_SERVICES'
- 'S3_PUBLIC_ACCESS'
- connect
- dms
- ssm
- ec2
- elasticfilesystem
- es
- kinesis
- kinesisvideo
- lambda
- lex
- redshift
- rds
- secretsmanager
- ses
- s3
- importexport
- sqs
- workmail
- workspaces
Default: ALL_SERVICES
Conditions:
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
HasServiceAllServices: !Equals [!Ref Service, 'ALL_SERVICES']
HasServiceS3PublicAccess: !Equals [!Ref Service, 'S3_PUBLIC_ACCESS']
Resources:
Key:
DeletionPolicy: Retain
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
Condition:
StringEquals: !If
- HasServiceAllServices
- 'kms:CallerAccount': !Ref 'AWS::AccountId'
- 'kms:CallerAccount': !Ref 'AWS::AccountId'
'kms:ViaService': !Sub '${Service}.${AWS::Region}.amazonaws.com'
- !If
- HasServiceS3PublicAccess
- Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Decrypt'
Resource: '*'
Condition:
StringEquals:
'kms:ViaService': !Sub 's3.${AWS::Region}.amazonaws.com'
- !Ref 'AWS::NoValue'
KeyAlias:
DeletionPolicy: Retain
Type: 'AWS::KMS::Alias'
Properties:
AliasName: !Sub 'alias/${AWS::StackName}'
TargetKeyId: !Ref Key
DeletionNotification:
Condition: HasAlertTopic
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- 'aws.kms'
'detail-type':
- 'AWS API Call via CloudTrail'
resources:
- !GetAtt Key.Arn
detail:
eventSource:
- 'kms.amazonaws.com'
'eventName':
- ScheduleKeyDeletion
- DisableKey
State: ENABLED
Targets:
- Arn: {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
Id: rule
Outputs:
TemplateID:
Description: 'cloudonaut.io template id.'
Value: 'security/kms-key'
TemplateVersion:
Description: 'cloudonaut.io template version.'
Value: '__VERSION__'
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
KeyId:
Description: 'Key id.'
Value: !Ref Key
Export:
Name: !Sub '${AWS::StackName}-KeyId'
KeyArn:
Description: 'Key ARN.'
Value: !GetAtt 'Key.Arn'
Export:
Name: !Sub '${AWS::StackName}-KeyArn'
You can’t perform that action at this time.