def add_kms_key(self, name):
print('Adding KMS key for %s service' % name)
account_id = self.config.get('account_id', None)
if not account_id:
print('Unable to add KMS Key')
sys.exit('Unable to add KMS Key! No Account ID')
keypolicy = {
"Version":
"2012-10-17",
"Id":
name,
"Statement": [{
"Sid":
"Allow administration of the key",
"Effect":
"Allow",
"Principal": {
"AWS": ("arn:aws:iam::%s:root" % account_id)
},
"Action": [
"kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*",
"kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*",
"kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource":
"*"
}]
}
return self.add_resource(kms.Key(name, KeyPolicy=keypolicy))
def _create_kms_deploy_key(self, include_prod):
statements = [
Statement(
Sid='AdminAccess',
Effect=Allow,
Principal=self.DEPLOY_ACCOUNT_PRINCIPAL,
Action=[_kms.Action('*')],
Resource=['*'],
)
]
if include_prod:
statements.append(
Statement(
Sid='KeyUsage',
Effect=Allow,
Principal=self.PROD_ACCOUNT_PRINCIPAL,
Action=[
_kms.Encrypt, _kms.Decrypt,
Action('kms', 'ReEncrypt*'), _kms.GenerateDataKey,
_kms.DescribeKey
],
Resource=['*'],
))
deploy_key = kms.Key('DeployKey',
KeyPolicy=Policy(
Version='2012-10-17',
Id='KeyPolicyId',
Statement=statements,
))
self._t.add_resource(deploy_key)
return deploy_key
def _project_key(project: Config) -> kms.Key:
"""Construct the AWS CMK that will be used to protect project resources.
:param project: Source project
:return: Constructed key
"""
policy = AWS.PolicyDocument(
Version="2012-10-17",
Statement=[
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.Encrypt,
KMS.Decrypt,
KMS.ReEncrypt,
KMS.GenerateDataKey,
KMS.GenerateDataKeyWithoutPlaintext,
KMS.DescribeKey,
KMS.GetKeyPolicy,
],
Resource=["*"],
),
# TODO: Change admin statement to some other principal?
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.GetKeyPolicy,
KMS.PutKeyPolicy,
KMS.ScheduleKeyDeletion,
KMS.CancelKeyDeletion,
KMS.CreateAlias,
KMS.DeleteAlias,
KMS.UpdateAlias,
KMS.DescribeKey,
KMS.EnableKey,
KMS.DisableKey,
KMS.GetKeyRotationStatus,
KMS.EnableKeyRotation,
KMS.DisableKeyRotation,
KMS.ListKeyPolicies,
KMS.ListResourceTags,
KMS.TagResource,
KMS.UntagResource,
],
Resource=["*"],
),
],
)
return kms.Key(
resource_name(kms.Key, "Stack"),
Enabled=True,
EnableKeyRotation=False,
KeyPolicy=policy,
Tags=project_tags(project),
)
def buildInfrastructure(t, args):
t.add_resource(
ec2.VPC('VPC',
CidrBlock='10.0.0.0/16',
EnableDnsSupport='true',
EnableDnsHostnames='true'))
t.add_resource(
ec2.Subnet('PublicSubnet1',
VpcId=Ref('VPC'),
CidrBlock='10.0.1.0/24',
AvailabilityZone=Select("0", GetAZs(""))))
t.add_resource(ec2.InternetGateway('ig'))
t.add_resource(
ec2.VPCGatewayAttachment('igAttach',
VpcId=Ref('VPC'),
InternetGatewayId=Ref('ig')))
t.add_resource(ec2.RouteTable('rtTablePublic', VpcId=Ref('VPC')))
t.add_resource(
ec2.Route('rtPublic',
RouteTableId=Ref('rtTablePublic'),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref('ig'),
DependsOn='igAttach'))
t.add_resource(
ec2.SubnetRouteTableAssociation('rtPublic1Attach',
SubnetId=Ref('PublicSubnet1'),
RouteTableId=Ref('rtTablePublic')))
t.add_resource(
kms.Key('OpenEMRKey',
DeletionPolicy='Delete',
KeyPolicy={
"Version":
"2012-10-17",
"Id":
"key-default-1",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS":
[Join(':', ['arn:aws:iam:', ref_account, 'root'])]
},
"Action": "kms:*",
"Resource": "*"
}]
}))
t.add_resource(
s3.Bucket(
'S3Bucket',
DeletionPolicy='Retain',
BucketName=Join(
'-',
['openemr', Select('2', Split('/', ref_stack_id))])))
t.add_resource(
s3.BucketPolicy(
'BucketPolicy',
Bucket=Ref('S3Bucket'),
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join":
["", ["arn:aws:s3:::", {
"Ref": "S3Bucket"
}]]
}
}, {
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::", {
"Ref": "S3Bucket"
}, "/AWSLogs/", {
"Ref": "AWS::AccountId"
}, "/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}]
}))
t.add_resource(
cloudtrail.Trail('CloudTrail',
DependsOn='BucketPolicy',
IsLogging=True,
IncludeGlobalServiceEvents=True,
IsMultiRegionTrail=True,
S3BucketName=Ref('S3Bucket')))
return t
def buildInfrastructure(t, args):
if (not args.recovery):
t.add_resource(
kms.Key(
'OpenEMRKey',
DeletionPolicy='Retain'
if args.recovery else 'Delete' if args.dev else 'Retain',
KeyPolicy={
"Version":
"2012-10-17",
"Id":
"key-default-1",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS":
[Join(':', ['arn:aws:iam:', ref_account, 'root'])]
},
"Action": "kms:*",
"Resource": "*"
}]
}))
t.add_resource(
s3.Bucket(
'S3Bucket',
DeletionPolicy='Retain',
BucketName=Join(
'-',
['openemr', Select('2', Split('/', ref_stack_id))])))
t.add_resource(
s3.BucketPolicy(
'BucketPolicy',
Bucket=Ref('S3Bucket'),
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join":
["", ["arn:aws:s3:::", {
"Ref": "S3Bucket"
}]]
}
}, {
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::", {
"Ref": "S3Bucket"
}, "/AWSLogs/", {
"Ref": "AWS::AccountId"
}, "/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}]
}))
t.add_resource(
cloudtrail.Trail('CloudTrail',
DependsOn='BucketPolicy',
IsLogging=True,
IncludeGlobalServiceEvents=True,
IsMultiRegionTrail=True,
S3BucketName=Ref('S3Bucket')))
t.add_resource(
ec2.SecurityGroup('ApplicationSecurityGroup',
GroupDescription='Application Security Group',
VpcId=Ref('VPC'),
Tags=Tags(Name='Application')))
return t
kms.Key(
"AuthKey",
Description=Sub("Key for Authorizer in ${AWS::StackName}"),
KeyPolicy={
"Version":
"2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": Sub("arn:aws:iam::${AWS::AccountId}:root")
},
"Action": cfnutils.kms.IAM_SAFE_ACTIONS,
"Resource": "*",
},
# It's not possible to create a key you cannot edit yourself, however we can make sure
# That only root can edit the key -- if we're deploying this stack with the root account
{
"Sid": "Allow updates to the policy",
"Effect": "Allow",
"Principal": {
"AWS": Sub("arn:aws:iam::${AWS::AccountId}:root")
},
"Action": "kms:PutKeyPolicy",
"Resource": "*",
# "Condition": If(is_root_deploy, kms_helpers.IAM_ONLY_ROOT,
# Ref(AWS_NO_VALUE)),
# TODO: add is_root_deploy parameter & condition, and uncomment the above
},
{
"Sid": "Allow encrypting things",
"Effect": "Allow",
"Principal": {
"AWS": custom_resources.ssm.Parameter.role()
},
"Action": "kms:Encrypt",
"Resource": "*",
},
{
"Sid": "Allow decrypting things",
"Effect": "Allow",
"Principal": {
"AWS": GetAtt(lambda_role, 'Arn')
},
"Action": cfnutils.kms.IAM_DECRYPT_ACTIONS,
"Resource": "*", # The policy is applied to only this key
},
],
},
Tags=GetAtt(cloudformation_tags, 'TagList'),
))
kms.Key(
"rdskmskey",
Description="Key for encrypting the RDS",
KeyPolicy={
"Version":
"2012-10-17",
"Statement": [
{
"Sid":
"Allow full administration of the key by the root account",
"Effect": "Allow",
"Principal": {
"AWS": Ref(key_admin_arn),
},
"Action": ["kms:*"],
"Resource": "*"
},
{
"Sid":
"Allow access through RDS for all principals in the account that are authorized to use RDS",
"Effect":
"Allow",
"Principal": {
"AWS": "*"
},
"Condition": {
"StringEquals": {
"kms:CallerAccount":
Ref('AWS::AccountId'),
"kms:ViaService":
Join(
"",
["rds.",
Ref('AWS::Region'), ".amazonaws.com"])
}
},
"Action": [
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",
"kms:GenerateDataKey*", "kms:CreateGrant",
"kms:DescribeKey"
],
"Resource":
"*"
},
]
}))
from awacs.aws import Action, Allow, PolicyDocument, Principal, Statement
from template import t
from troposphere import AWS_ACCOUNT_ID, Join, Ref, kms
print(' adding KMS key')
key_policy = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Sid="1",
Effect=Allow,
Principal=Principal(
"AWS", Join(":", ["arn:aws:iam:", Ref(AWS_ACCOUNT_ID), "root"])
),
Action=[Action("kms", "*")],
Resource=["*"]
)
]
)
kms_key = t.add_resource(
kms.Key(
"HyP3KMSKey",
Description="KMS Key used by HyP3 to encrypt sensitive data",
KeyPolicy=key_policy
)
)