cfn-modules: AWS KMS key (strict)

AWS KMS key with strict access restrictions.

The KMS key is not deleted if you delete the CloudFormation stack to prevent unwanted data loss!

If you look for a KMS key with less strict access check out the kms-key module.

Install

Install Node.js and npm first!

npm i @cfn-modules/kms-key-strict

Usage

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
  Key:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
        AdminAccess: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ROLE_NAME' # required
        UseAccess: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ROLE_NAME' # optional
        ServiceAccess: 'NO_SERVICES' # optional
        AliasName: '' # optional
      TemplateURL: './node_modules/@cfn-modules/kms-key-strict/module.yml'

Examples

none

Related modules

• kms-key
• secret

Parameters

Name	Description	Default	Required?	Allowed values
AlertingModule	Stack name of alerting module		no
AdminAccess	Comma-delimited list of IAM principals (e.g., IAM Role or User ARN) allowed to administer this CMK		yes
UseAccess	Comma-delimited list of IAM principals (e.g., IAM Role or User ARN) allowed to use this CMK		no
ServiceAccess	Which AWS service is allowed to use this CMK from the same AWS account and region?	NO_SERVICES	no	[NO_SERVICES, ALL_SERVICES, connect, dms, ssm, ec2, elasticfilesystem, es, kinesis, kinesisvideo, lambda, lex, redshift, rds, secretsmanager, ses, s3, importexport, sqs, workmail, workspaces]
AliasName	Alias name (if not set, the stack name is used)		no

Outputs

Name	Interface	Description	Exported?
ModuleId	global	Id of the module	no
ModuleVersion	global	Version of the module	no
StackName	global	Name of the stack (used to pass module references)	no
Arn	ExposeArn	KMS key ARN	yes
IamActions	LambdaDependency	Used to auto-generate IAM policies	yes
IamResources	LambdaDependency	sed to auto-generate IAM policies	yes