Created
June 11, 2021 09:31
-
-
Save daknhh/532b542d650e0eebbe1f3f95bd3a4cff to your computer and use it in GitHub Desktop.
Create KMS Key for CloudWatch and SSM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: Create KMS Key for CloudWatch and SSM | |
| Metadata: | |
| Author: | |
| Description: David Krohn | |
| Resources: | |
| CloudWatchKey: | |
| Type: 'AWS::KMS::Key' | |
| Properties: | |
| EnableKeyRotation: true | |
| KeyPolicy: | |
| Version: "2012-10-17" | |
| Id: "KmsKeyForCloudWatchPolicy" | |
| Statement: | |
| - Sid: "Enable IAM User Permissions" | |
| Effect: "Allow" | |
| Principal: | |
| AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" | |
| Action: "kms:*" | |
| Resource: "*" | |
| - | |
| Sid: "Allow usage for Lambda" | |
| Effect: "Allow" | |
| Principal: | |
| AWS: "*" | |
| Action: | |
| - "kms:Encrypt" | |
| - "kms:Decrypt" | |
| - "kms:ReEncrypt*" | |
| - "kms:GenerateDataKey*" | |
| - "kms:CreateGrant" | |
| - "kms:ListGrants" | |
| - "kms:DescribeKey" | |
| Resource: "*" | |
| Condition: | |
| StringEquals: | |
| "kms:ViaService": !Sub "lambda.${AWS::Region}.amazonaws.com" | |
| - | |
| Sid: "Allow usage for CloudWatch" | |
| Effect: "Allow" | |
| Principal: | |
| Service: !Sub "logs.${AWS::Region}.amazonaws.com" | |
| Action: | |
| - "kms:Encrypt" | |
| - "kms:Decrypt" | |
| - "kms:ReEncrypt*" | |
| - "kms:GenerateDataKey*" | |
| - "kms:CreateGrant" | |
| - "kms:ListGrants" | |
| - "kms:DescribeKey" | |
| Resource: "*" | |
| - Sid: Usage | |
| Effect: Allow | |
| Principal: | |
| AWS: | |
| - "*" | |
| Action: | |
| - "kms:Encrypt" | |
| - "kms:Decrypt" | |
| - "kms:ReEncrypt*" | |
| - "kms:GenerateDataKey*" | |
| - "kms:CreateGrant" | |
| - "kms:ListGrants" | |
| - "kms:DescribeKey" | |
| Resource: '*' | |
| Condition: | |
| StringEquals: | |
| aws:PrincipalAccount: !Ref AWS::AccountId | |
| CloudWatchKmsKeyAlias: | |
| Type: AWS::KMS::Alias | |
| Properties: | |
| AliasName: alias/KMS/CW/DEFAULT/ENCRYPTION | |
| TargetKeyId: !Ref CloudWatchKey | |
| CloudWatchKmsArnSSMParameter: | |
| Type: "AWS::SSM::Parameter" | |
| Properties: | |
| Name: /KMS/CW/DEFAULT/ARN | |
| Type: "String" | |
| Value: !GetAtt CloudWatchKey.Arn | |
| Description: "KMS Key ARN fuer Kinesis Encryption" | |
| SessionManagerKmsKey: | |
| Type: AWS::KMS::Key | |
| Properties: | |
| KeyPolicy: | |
| Version: 2012-10-17 | |
| Id: allowRootAccess | |
| Statement: | |
| - Sid: AdministrativeAccess | |
| Effect: Allow | |
| Principal: | |
| AWS: | |
| - !Ref AWS::AccountId | |
| Action: | |
| - kms:* | |
| Resource: '*' | |
| - | |
| Sid: "Allow usage for SSM" | |
| Effect: "Allow" | |
| Principal: | |
| Service: ssm.amazonaws.com | |
| Action: | |
| - "kms:Encrypt" | |
| - "kms:Decrypt" | |
| - "kms:ReEncrypt*" | |
| - "kms:GenerateDataKey*" | |
| - "kms:CreateGrant" | |
| - "kms:ListGrants" | |
| - "kms:DescribeKey" | |
| Resource: "*" | |
| - Sid: Usage | |
| Effect: Allow | |
| Principal: | |
| AWS: | |
| - "*" | |
| Action: | |
| - "kms:Encrypt" | |
| - "kms:Decrypt" | |
| - "kms:ReEncrypt*" | |
| - "kms:GenerateDataKey*" | |
| - "kms:CreateGrant" | |
| - "kms:ListGrants" | |
| - "kms:DescribeKey" | |
| Resource: '*' | |
| Condition: | |
| StringEquals: | |
| aws:PrincipalAccount: !Ref AWS::AccountId | |
| EnableKeyRotation: true | |
| SessionManagerKmsKeyAlias: | |
| Type: AWS::KMS::Alias | |
| Properties: | |
| AliasName: alias/KMS/SSM/DEFAULT/ENCRYPTION | |
| TargetKeyId: !Ref SessionManagerKmsKey | |
| SSmKmsArnSSMParameter: | |
| Type: "AWS::SSM::Parameter" | |
| Properties: | |
| Name: /KMS/SSM/DEFAULT/ARN | |
| Type: "String" | |
| Value: !GetAtt SessionManagerKmsKey.Arn | |
| Description: "KMS Key ARN fuer SessionManager Encryption" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment