AWS KMS key with strict access restrictions.
The KMS key is not deleted if you delete the CloudFormation stack to prevent unwanted data loss!
If you look for a KMS key with less strict access check out the kms-key module.
Install Node.js and npm first!
npm i @cfn-modules/kms-key-strict
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Key:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
AdminAccess: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ROLE_NAME' # required
UseAccess: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ROLE_NAME' # optional
ServiceAccess: 'NO_SERVICES' # optional
AliasName: '' # optional
TemplateURL: './node_modules/@cfn-modules/kms-key-strict/module.yml'
none
| Name | Description | Default | Required? | Allowed values |
|---|---|---|---|---|
| AlertingModule | Stack name of alerting module | no | ||
| AdminAccess | Comma-delimited list of IAM principals (e.g., IAM Role or User ARN) allowed to administer this CMK | yes | ||
| UseAccess | Comma-delimited list of IAM principals (e.g., IAM Role or User ARN) allowed to use this CMK | no | ||
| ServiceAccess | Which AWS service is allowed to use this CMK from the same AWS account and region? | NO_SERVICES | no | [NO_SERVICES, ALL_SERVICES, connect, dms, ssm, ec2, elasticfilesystem, es, kinesis, kinesisvideo, lambda, lex, redshift, rds, secretsmanager, ses, s3, importexport, sqs, workmail, workspaces] |
| AliasName | Alias name (if not set, the stack name is used) | no |
| Name | Interface | Description | Exported? |
|---|---|---|---|
| ModuleId | global | Id of the module | no |
| ModuleVersion | global | Version of the module | no |
| StackName | global | Name of the stack (used to pass module references) | no |
| Arn | ExposeArn | KMS key ARN | yes |
| IamActions | LambdaDependency | Used to auto-generate IAM policies | yes |
| IamResources | LambdaDependency | sed to auto-generate IAM policies | yes |