Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create KMS Key for CloudWatch and SSM
AWSTemplateFormatVersion: 2010-09-09
Description: Create KMS Key for CloudWatch and SSM
Metadata:
Author:
Description: David Krohn
Resources:
CloudWatchKey:
Type: 'AWS::KMS::Key'
Properties:
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Id: "KmsKeyForCloudWatchPolicy"
Statement:
- Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
-
Sid: "Allow usage for Lambda"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:DescribeKey"
Resource: "*"
Condition:
StringEquals:
"kms:ViaService": !Sub "lambda.${AWS::Region}.amazonaws.com"
-
Sid: "Allow usage for CloudWatch"
Effect: "Allow"
Principal:
Service: !Sub "logs.${AWS::Region}.amazonaws.com"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:DescribeKey"
Resource: "*"
- Sid: Usage
Effect: Allow
Principal:
AWS:
- "*"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:DescribeKey"
Resource: '*'
Condition:
StringEquals:
aws:PrincipalAccount: !Ref AWS::AccountId
CloudWatchKmsKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/KMS/CW/DEFAULT/ENCRYPTION
TargetKeyId: !Ref CloudWatchKey
CloudWatchKmsArnSSMParameter:
Type: "AWS::SSM::Parameter"
Properties:
Name: /KMS/CW/DEFAULT/ARN
Type: "String"
Value: !GetAtt CloudWatchKey.Arn
Description: "KMS Key ARN fuer Kinesis Encryption"
SessionManagerKmsKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: allowRootAccess
Statement:
- Sid: AdministrativeAccess
Effect: Allow
Principal:
AWS:
- !Ref AWS::AccountId
Action:
- kms:*
Resource: '*'
-
Sid: "Allow usage for SSM"
Effect: "Allow"
Principal:
Service: ssm.amazonaws.com
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:DescribeKey"
Resource: "*"
- Sid: Usage
Effect: Allow
Principal:
AWS:
- "*"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:DescribeKey"
Resource: '*'
Condition:
StringEquals:
aws:PrincipalAccount: !Ref AWS::AccountId
EnableKeyRotation: true
SessionManagerKmsKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/KMS/SSM/DEFAULT/ENCRYPTION
TargetKeyId: !Ref SessionManagerKmsKey
SSmKmsArnSSMParameter:
Type: "AWS::SSM::Parameter"
Properties:
Name: /KMS/SSM/DEFAULT/ARN
Type: "String"
Value: !GetAtt SessionManagerKmsKey.Arn
Description: "KMS Key ARN fuer SessionManager Encryption"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment