cloudformation template to create kms key

3 min read 07-12-2024

cloudformation template to create kms key

This article details how to create a CloudFormation template to provision a Customer Master Key (CMK) in AWS KMS. We'll cover various aspects, from basic key creation to incorporating advanced features like key policies and aliases. This allows for infrastructure-as-code management of your encryption keys, enhancing security and repeatability.

Why Use CloudFormation for KMS Key Management?

Manually creating and managing KMS keys can be time-consuming and error-prone. CloudFormation provides a declarative approach, allowing you to define your infrastructure (including KMS keys) in a template file. This ensures consistency, reduces manual effort, and facilitates version control. Changes are applied reliably and repeatably, minimizing the risk of misconfigurations.

Basic CloudFormation Template for a KMS CMK

This template creates a simple symmetric CMK:

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a KMS CMK

Resources:
  MyKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: My simple KMS key
      EnableKeyRotation: true

This template defines a single resource, MyKMSKey, of type AWS::KMS::Key. The Description property adds metadata, while EnableKeyRotation automatically rotates the key material, enhancing security.

Adding a Key Policy

For granular control over key access, define a key policy. This example grants access to specific AWS accounts and IAM roles:

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a KMS CMK with a custom policy

Resources:
  MyKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: My KMS key with custom policy
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
        - Sid: AllowAdminAccess
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456789012:root # Replace with your account ID
          Action:
            - kms:*
          Resource: '*'
        - Sid: AllowSpecificRoleAccess
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456789012:role/MyRole # Replace with your role ARN
          Action:
            - kms:Encrypt
            - kms:Decrypt
          Resource: '*'

Remember to replace placeholder account IDs and role ARNs with your actual values. This policy grants full access to the specified account and restricted access (encrypt/decrypt only) to the specified role. Adjust permissions as needed based on your security requirements.

Assigning an Alias

Aliases make it easier to refer to your keys. Adding an alias to your template:

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a KMS CMK with an alias

Resources:
  MyKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: My KMS key with alias
      EnableKeyRotation: true
  MyKMSKeyAlias:
    Type: 'AWS::KMS::Alias'
    Properties:
      AliasName: alias/MyKeyAlias
      TargetKeyId: !Ref MyKMSKey

This adds a resource MyKMSKeyAlias that links the alias alias/MyKeyAlias to the CMK created earlier. !Ref MyKMSKey refers to the output of the MyKMSKey resource.

Creating a Customer Managed Key with a specific Key Spec

You can specify the key's algorithm:

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a KMS CMK with a specific key spec

Resources:
  MyKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: My KMS key with specific key spec
      KeySpec: SYMMETRIC_DEFAULT # or RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
      EnableKeyRotation: true

Replace SYMMETRIC_DEFAULT with the desired key spec if needed.

Deploying the Template

Once you've created your CloudFormation template (e.g., template.yaml), deploy it using the AWS CLI:

aws cloudformation deploy --template-file template.yaml --stack-name MyKMSKeyStack --capabilities CAPABILITY_NAMED_IAM

The --capabilities CAPABILITY_NAMED_IAM flag is necessary because the key policy involves IAM resources.

Conclusion

CloudFormation simplifies KMS key management, providing a repeatable and auditable method for creating and configuring keys. Remember to adjust the key policies and other properties to match your specific security and operational requirements. Always prioritize secure key management practices, including regular key rotation and access control policies.