AWS KMS Grant

This page shows how to write Terraform and CloudFormation for AWS KMS Grant and write them securely.

code-icon

Fix issues in your cloud & app configurations

Test for misconfigurations of this resource in your cloud.

get-started-button

Terraform Example (aws_kms_grant)

Provides a resource-based access control mechanism for a KMS customer master key.

Parameters

Example Usage (from GitHub)

github-iconpetersiemen/aws-multiple-account-ci-cd
resource "aws_kms_grant" "grant-for-codebuild-role" {
  name = "grant-for-deploy"
  key_id = var.kms__key_id
  grantee_principal = aws_iam_role.codebuild-role.arn
  operations = [
    "Encrypt",
github-iconpetersiemen/cross-account-multi-region-ci-cd-pipeline-on-aws
resource "aws_kms_grant" "grant-for-codebuild-role" {
  name = "grant-for-deploy"
  key_id = var.kms__key_id
  grantee_principal = aws_iam_role.codebuild-role.arn
  operations = [
    "Encrypt",
github-iconKaiohenriqueps/terraform-lambda-dynamodb
resource "aws_kms_grant" "dynamodb" {
  name              = "my-grant-dynamodb"
  key_id            = aws_kms_key.dynamodb.key_id
  grantee_principal = aws_iam_role.kms.arn
  operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
}
github-iconedcast/one-time-secret
resource "aws_kms_grant" "existing_role" {
  count             = var.existing_iam_role == "" ? 0 : 1
  name              = var.project_name
  key_id            = aws_kms_key.this.key_id
  grantee_principal = join("", data.aws_iam_role.existing.*.arn)
  operations        = ["Encrypt", "Decrypt"]
github-iconpetersiemen/aws-multiple-account-ci-cd
resource "aws_kms_grant" "grant-for-deploy-role" {
  provider = aws.shared-services

  name = "grant-for-deploy"
  key_id = var.kms__key_id
  grantee_principal = aws_iam_role.cloudformation-deploy-role.arn

CloudFormation Example (AWS::KMS::Key)

The AWS::KMS::Key resource specifies a symmetric or asymmetric KMS key in AWS Key Management Service (AWS KMS).

Note AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.

You can use symmetric KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use symmetric KMS key to encrypt data stored in AWS services that are integrated with AWS KMS. For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.

You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric KeySpec value and a KeyUsage value.

Important If you change the value of a Replacement property, such as KeyUsage or KeySpec, on an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified value. While scheduled for deletion, the existing KMS key becomes unusable. If you don't cancel the scheduled deletion of the existing KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.

Parameters

Frequently asked questions

What is AWS KMS Grant?

AWS KMS Grant is a resource for KMS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS KMS Grant?

For Terraform, the petersiemen/aws-multiple-account-ci-cd, petersiemen/cross-account-multi-region-ci-cd-pipeline-on-aws and Kaiohenriqueps/terraform-lambda-dynamodb source code examples are useful. See the Terraform Example section for further details.