Last active
June 8, 2022 15:14
-
-
Save t04glovern/24a912d17118aaa5e735a9451d3705d2 to your computer and use it in GitHub Desktop.
Roles and Resources required to export Amazon WorkMail content programmatically
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: Roles and Resources required to export Amazon WorkMail content programmatically | |
Resources: | |
WorkMailExportBucket: | |
Type: AWS::S3::Bucket | |
WorkMailExportBucketKey: | |
Type: AWS::KMS::Key | |
DeletionPolicy: Retain | |
Properties: | |
Description: Symmetric CMK used to encrypt exported WorkMail | |
KeyPolicy: | |
Version: '2012-10-17' | |
Id: workmail-export-key | |
Statement: | |
- Sid: Enable IAM User Permissions | |
Effect: Allow | |
Principal: | |
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' | |
Action: kms:* | |
Resource: '*' | |
- Sid: Allow administration of the key | |
Effect: Allow | |
Principal: | |
# AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/REPLACE_ROLE_NAME_HERE' | |
# AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/REPLACE_USERNAME_HERE' | |
Action: | |
- kms:Create* | |
- kms:Describe* | |
- kms:Enable* | |
- kms:List* | |
- kms:Put* | |
- kms:Update* | |
- kms:Revoke* | |
- kms:Disable* | |
- kms:Get* | |
- kms:Delete* | |
- kms:ScheduleKeyDeletion | |
- kms:CancelKeyDeletion | |
Resource: '*' | |
WorkMailExportRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
Policies: | |
- PolicyName: workmail-export | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: | |
- s3:AbortMultipartUpload | |
- s3:PutObject | |
- s3:GetBucketPolicyStatus | |
Resource: | |
- !Sub 'arn:aws:s3:::${WorkMailExportBucket}' | |
- !Sub 'arn:aws:s3:::${WorkMailExportBucket}/*' | |
- Effect: Allow | |
Action: | |
- kms:Decrypt | |
- kms:GenerateDataKey | |
Resource: | |
- !GetAtt WorkMailExportBucketKey.Arn | |
Condition: | |
StringEquals: | |
kms:ViaService: !Sub 's3.${AWS::Region}.amazonaws.com' | |
StringLike: | |
kms:EncryptionContext:aws:s3:arn: !Sub 'arn:aws:s3:::${WorkMailExportBucket}/*' | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: export.workmail.amazonaws.com | |
Action: sts:AssumeRole | |
Condition: | |
StringEquals: | |
sts:ExternalId: !Ref AWS::AccountId | |
Outputs: | |
WorkMailBucket: | |
Description: Bucket where Amazon WorkMail emails are exported to | |
Value: !Ref WorkMailExportBucket |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment