【AWS】CloudFormation ~ KMS ~

■ はじめに

https://dk521123.hatenablog.com/entry/2022/05/25/220037

の続き。

今回は、CloudFormation で KMS(AWS Key Management Service)
を作ってみる。

目次

【1】KMS Key
 1)EnableKeyRotation
 2)KeyPolicy
【2】KMS Alias
 1)AliasName
 2)TargetKeyId
【3】サンプル

【1】KMS Key

* 「Type: AWS::KMS::Key」を使う

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

1)EnableKeyRotation

* KMSキーの自動ローテーションを有効にするかどうか (True/False)

2)KeyPolicy

* ここがキモで、以下のKMS の キーポリシーの仕様に従い、記述すればいい

https://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/key-policies.html

【2】KMS Alias

* 「Type: "AWS::KMS::Alias"」を使う

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-kms-alias.html

1)AliasName

* エイリアス名を指定

2)TargetKeyId

* 対象KMSキーのIDを指定
* 「TargetKeyId: !Ref <KMSキー>」で指定してあげればいい

Action の指定例

            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:GenerateDataKey
              - kms:GenerateDataKeyPair
              - kms:GenerateDataKeyWithoutPlaintext
              - kms:GenerateDataKeyPairWithoutPlaintext
              - kms:DescribeKey
              - kms:GenerateDataKeyPair

【3】サンプル

AWSTemplateFormatVersion: "2010-09-09"
Description: "This is a demo for KMS"

Parameters:
  Env:
    Description: Environment
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - stage
      - prod

Resources:
  # -------
  # KMS Key
  # -------
  DemoKmsKey:
    Type: "AWS::KMS::Key"
    Properties:
      Description: This is a demo key for KMKS
      EnableKeyRotation: true
      KeyPolicy:
        Version: 2012-10-17
        Id: key-demo-1
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: kms:*
            Resource: "*"
      Tags:
        - Key: Name
          Value: !Sub demo-key-${Env}-cmk
  # -------
  # KMS Alias
  # -------
  DemoKmsKeyAlias:
    Type: "AWS::KMS::Alias"
    Properties:
      AliasName: !Sub alias/demo-key-${Env}-cmk
      TargetKeyId: !Ref DemoKmsKey
Outputs:
  DemoKmsKey:
    Value: !GetAtt DemoKmsKey.Arn
    Description: "This output is a demo KMS key"
    Export:
      Name: !Sub demo-key-${Env}-cmk

関連記事

CloudFormation ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2021/10/26/224812
CloudFormation ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2021/12/01/170326
CloudFormation ~ 組み込み関数 ~
https://dk521123.hatenablog.com/entry/2021/12/04/202519
CloudFormation ~ 疑似パラメータ ~
https://dk521123.hatenablog.com/entry/2021/12/05/134313
CloudFormation ~ DeletionPolicy 属性 ~
https://dk521123.hatenablog.com/entry/2021/12/27/211328
CloudFormation ~ S3 ~ https://dk521123.hatenablog.com/entry/2022/05/25/220037
CloudFormation ~ IAM ~ https://dk521123.hatenablog.com/entry/2022/05/27/100820
CloudFormation で Github/CodePipeline/CodeBuild を構築する
https://dk521123.hatenablog.com/entry/2021/12/26/155956
AWS認定 ~ アソシエイト/ソリューションアーキテクト ~
https://dk521123.hatenablog.com/entry/2022/03/01/000000