AWS KMS Grant
This page shows how to write Terraform and CloudFormation for AWS KMS Grant and write them securely.
aws_kms_grant (Terraform)
The Grant in AWS KMS can be configured in Terraform with the resource name aws_kms_grant
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_kms_grant" "grant-for-codebuild-role" {
name = "grant-for-deploy"
key_id = var.kms__key_id
grantee_principal = aws_iam_role.codebuild-role.arn
operations = [
"Encrypt",
resource "aws_kms_grant" "grant-for-codebuild-role" {
name = "grant-for-deploy"
key_id = var.kms__key_id
grantee_principal = aws_iam_role.codebuild-role.arn
operations = [
"Encrypt",
resource "aws_kms_grant" "dynamodb" {
name = "my-grant-dynamodb"
key_id = aws_kms_key.dynamodb.key_id
grantee_principal = aws_iam_role.kms.arn
operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
}
resource "aws_kms_grant" "existing_role" {
count = var.existing_iam_role == "" ? 0 : 1
name = var.project_name
key_id = aws_kms_key.this.key_id
grantee_principal = join("", data.aws_iam_role.existing.*.arn)
operations = ["Encrypt", "Decrypt"]
resource "aws_kms_grant" "grant-for-deploy-role" {
provider = aws.shared-services
name = "grant-for-deploy"
key_id = var.kms__key_id
grantee_principal = aws_iam_role.cloudformation-deploy-role.arn
Parameters
-
grant_creation_tokens
optional - set of string -
grant_id
optional computed - string -
grant_token
optional computed - string -
grantee_principal
required - string -
id
optional computed - string -
key_id
required - string -
name
optional - string -
operations
required - set of string -
retire_on_delete
optional - bool -
retiring_principal
optional - string -
constraints
set block-
encryption_context_equals
optional - map from string to string -
encryption_context_subset
optional - map from string to string
-
Explanation in Terraform Registry
Provides a resource-based access control mechanism for a KMS customer master key.
AWS::KMS::Key (CloudFormation)
The Key in KMS can be configured in CloudFormation with the resource name AWS::KMS::Key
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::KMS::Key
Properties:
Description: Symmetric key for demo
Enabled: True
EnableKeyRotation: True
KeySpec: SYMMETRIC_DEFAULT
Type: AWS::KMS::Key
DependsOn:
- CreateRecordLambdaFunction
- GetRecordLambdaFunction
Properties:
Description: 'QLDB Ledger CMK'
"type": "AWS::KMS::Key"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
Type: AWS::KMS::Key
Properties:
Description: KMS Key used for protecting Kolide Fleet's SSL private key
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Type: AWS::KMS::Key
Properties:
Description: RSA_4096 asymmetric CMK
KeySpec: RSA_4096
KeyUsage: ENCRYPT_DECRYPT
KeyPolicy:
"rule":"$.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation any null or $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation anyFalse",
"id":"6ae8d0a5-4794-438c-aafa-200f94b45f1f",
"enabled":true,
"recommendation": {
"name": "Recommended solution for enabling Customer Master Keys.",
"description": "It is recommended that Customer Master Keys rotation is enabled. Please make sure your template has \"EnableKeyRotation\" attribute and it is set to \"true\"",
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": false,
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": false,
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
"CloudTrailEvent": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAXGJAWKEZ3D5NC2A3X\",\"arn\":\"arn:aws:iam::494526681395:user/hzhuang\",\"accountId\":\"494526681395\",\"accessKeyId\":\"ASIAXGJAWKEZ5R4FWDTG\",\"userName\":\"hzhuang\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2020-05-14T01:47:32Z\"}}},\"eventTime\":\"2020-05-14T01:47:46Z\",\"eventSource\":\"kms.amazonaws.com\",\"eventName\":\"GetKeyPolicy\",\"awsRegion\":\"ap-southeast-1\",\"sourceIPAddress\":\"202.66.38.130\",\"userAgent\":\"aws-internal/3 aws-sdk-java/1.11.742 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation\",\"requestParameters\":{\"keyId\":\"aa5b2dc0-88ba-4e21-b339-82d8a18e9e6b\",\"policyName\":\"default\"},\"responseElements\":null,\"requestID\":\"dbd92b4e-b29e-493d-bd21-8fdd63806075\",\"eventID\":\"16731af3-a991-4b56-a7ad-348a1a2a73b6\",\"readOnly\":true,\"resources\":[{\"accountId\":\"494526681395\",\"type\":\"AWS::KMS::Key\",\"ARN\":\"arn:aws:kms:ap-southeast-1:494526681395:key/aa5b2dc0-88ba-4e21-b339-82d8a18e9e6b\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"494526681395\"}"
},
{
"EventId": "5adb4de1-2822-451e-adb4-dd92bf6a84a5",
"EventName": "ListAliases",
"ReadOnly": "true",
Parameters
-
Description
optional - String -
Enabled
optional - Boolean -
EnableKeyRotation
optional - Boolean -
KeyPolicy
required - Json -
KeyUsage
optional - String -
KeySpec
optional - String -
MultiRegion
optional - Boolean -
PendingWindowInDays
optional - Integer -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
The
AWS::KMS::Key
resource specifies a symmetric or asymmetric KMS key in AWS Key Management Service (AWS KMS).Note AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.
You can use symmetric KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use symmetric KMS key to encrypt data stored in AWS services that are integrated with AWS KMS. For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.
You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric
KeySpec
value and aKeyUsage
value.Important If you change the value of a
Replacement
property, such asKeyUsage
orKeySpec
, on an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified value. While scheduled for deletion, the existing KMS key becomes unusable. If you don't cancel the scheduled deletion of the existing KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
Frequently asked questions
What is AWS KMS Grant?
AWS KMS Grant is a resource for KMS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS KMS Grant?
For Terraform, the petersiemen/aws-multiple-account-ci-cd, petersiemen/cross-account-multi-region-ci-cd-pipeline-on-aws and Kaiohenriqueps/terraform-lambda-dynamodb source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the MarkBiesheuvel/demo-templates, AWS-South-Wales-User-Group/qldb-kms-demo and panther-labs/panther-analysis source code examples are useful. See the CloudFormation Example section for further details.