def add_kms_key(self, name): print('Adding KMS key for %s service' % name) account_id = self.config.get('account_id', None) if not account_id: print('Unable to add KMS Key') sys.exit('Unable to add KMS Key! No Account ID') keypolicy = { "Version": "2012-10-17", "Id": name, "Statement": [{ "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": ("arn:aws:iam::%s:root" % account_id) }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }] } return self.add_resource(kms.Key(name, KeyPolicy=keypolicy))
def _create_kms_deploy_key(self, include_prod): statements = [ Statement( Sid='AdminAccess', Effect=Allow, Principal=self.DEPLOY_ACCOUNT_PRINCIPAL, Action=[_kms.Action('*')], Resource=['*'], ) ] if include_prod: statements.append( Statement( Sid='KeyUsage', Effect=Allow, Principal=self.PROD_ACCOUNT_PRINCIPAL, Action=[ _kms.Encrypt, _kms.Decrypt, Action('kms', 'ReEncrypt*'), _kms.GenerateDataKey, _kms.DescribeKey ], Resource=['*'], )) deploy_key = kms.Key('DeployKey', KeyPolicy=Policy( Version='2012-10-17', Id='KeyPolicyId', Statement=statements, )) self._t.add_resource(deploy_key) return deploy_key
def _project_key(project: Config) -> kms.Key: """Construct the AWS CMK that will be used to protect project resources. :param project: Source project :return: Constructed key """ policy = AWS.PolicyDocument( Version="2012-10-17", Statement=[ AWS.Statement( Effect=AWS.Allow, Principal=AWS.Principal("AWS", account_arn("iam", "root")), Action=[ KMS.Encrypt, KMS.Decrypt, KMS.ReEncrypt, KMS.GenerateDataKey, KMS.GenerateDataKeyWithoutPlaintext, KMS.DescribeKey, KMS.GetKeyPolicy, ], Resource=["*"], ), # TODO: Change admin statement to some other principal? AWS.Statement( Effect=AWS.Allow, Principal=AWS.Principal("AWS", account_arn("iam", "root")), Action=[ KMS.GetKeyPolicy, KMS.PutKeyPolicy, KMS.ScheduleKeyDeletion, KMS.CancelKeyDeletion, KMS.CreateAlias, KMS.DeleteAlias, KMS.UpdateAlias, KMS.DescribeKey, KMS.EnableKey, KMS.DisableKey, KMS.GetKeyRotationStatus, KMS.EnableKeyRotation, KMS.DisableKeyRotation, KMS.ListKeyPolicies, KMS.ListResourceTags, KMS.TagResource, KMS.UntagResource, ], Resource=["*"], ), ], ) return kms.Key( resource_name(kms.Key, "Stack"), Enabled=True, EnableKeyRotation=False, KeyPolicy=policy, Tags=project_tags(project), )
def buildInfrastructure(t, args): t.add_resource( ec2.VPC('VPC', CidrBlock='10.0.0.0/16', EnableDnsSupport='true', EnableDnsHostnames='true')) t.add_resource( ec2.Subnet('PublicSubnet1', VpcId=Ref('VPC'), CidrBlock='10.0.1.0/24', AvailabilityZone=Select("0", GetAZs("")))) t.add_resource(ec2.InternetGateway('ig')) t.add_resource( ec2.VPCGatewayAttachment('igAttach', VpcId=Ref('VPC'), InternetGatewayId=Ref('ig'))) t.add_resource(ec2.RouteTable('rtTablePublic', VpcId=Ref('VPC'))) t.add_resource( ec2.Route('rtPublic', RouteTableId=Ref('rtTablePublic'), DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref('ig'), DependsOn='igAttach')) t.add_resource( ec2.SubnetRouteTableAssociation('rtPublic1Attach', SubnetId=Ref('PublicSubnet1'), RouteTableId=Ref('rtTablePublic'))) t.add_resource( kms.Key('OpenEMRKey', DeletionPolicy='Delete', KeyPolicy={ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [{ "Sid": "1", "Effect": "Allow", "Principal": { "AWS": [Join(':', ['arn:aws:iam:', ref_account, 'root'])] }, "Action": "kms:*", "Resource": "*" }] })) t.add_resource( s3.Bucket( 'S3Bucket', DeletionPolicy='Retain', BucketName=Join( '-', ['openemr', Select('2', Split('/', ref_stack_id))]))) t.add_resource( s3.BucketPolicy( 'BucketPolicy', Bucket=Ref('S3Bucket'), PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "S3Bucket" }]] } }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ] }, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }] })) t.add_resource( cloudtrail.Trail('CloudTrail', DependsOn='BucketPolicy', IsLogging=True, IncludeGlobalServiceEvents=True, IsMultiRegionTrail=True, S3BucketName=Ref('S3Bucket'))) return t
def buildInfrastructure(t, args): if (not args.recovery): t.add_resource( kms.Key( 'OpenEMRKey', DeletionPolicy='Retain' if args.recovery else 'Delete' if args.dev else 'Retain', KeyPolicy={ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [{ "Sid": "1", "Effect": "Allow", "Principal": { "AWS": [Join(':', ['arn:aws:iam:', ref_account, 'root'])] }, "Action": "kms:*", "Resource": "*" }] })) t.add_resource( s3.Bucket( 'S3Bucket', DeletionPolicy='Retain', BucketName=Join( '-', ['openemr', Select('2', Split('/', ref_stack_id))]))) t.add_resource( s3.BucketPolicy( 'BucketPolicy', Bucket=Ref('S3Bucket'), PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "S3Bucket" }]] } }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ] }, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }] })) t.add_resource( cloudtrail.Trail('CloudTrail', DependsOn='BucketPolicy', IsLogging=True, IncludeGlobalServiceEvents=True, IsMultiRegionTrail=True, S3BucketName=Ref('S3Bucket'))) t.add_resource( ec2.SecurityGroup('ApplicationSecurityGroup', GroupDescription='Application Security Group', VpcId=Ref('VPC'), Tags=Tags(Name='Application'))) return t
kms.Key( "AuthKey", Description=Sub("Key for Authorizer in ${AWS::StackName}"), KeyPolicy={ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": Sub("arn:aws:iam::${AWS::AccountId}:root") }, "Action": cfnutils.kms.IAM_SAFE_ACTIONS, "Resource": "*", }, # It's not possible to create a key you cannot edit yourself, however we can make sure # That only root can edit the key -- if we're deploying this stack with the root account { "Sid": "Allow updates to the policy", "Effect": "Allow", "Principal": { "AWS": Sub("arn:aws:iam::${AWS::AccountId}:root") }, "Action": "kms:PutKeyPolicy", "Resource": "*", # "Condition": If(is_root_deploy, kms_helpers.IAM_ONLY_ROOT, # Ref(AWS_NO_VALUE)), # TODO: add is_root_deploy parameter & condition, and uncomment the above }, { "Sid": "Allow encrypting things", "Effect": "Allow", "Principal": { "AWS": custom_resources.ssm.Parameter.role() }, "Action": "kms:Encrypt", "Resource": "*", }, { "Sid": "Allow decrypting things", "Effect": "Allow", "Principal": { "AWS": GetAtt(lambda_role, 'Arn') }, "Action": cfnutils.kms.IAM_DECRYPT_ACTIONS, "Resource": "*", # The policy is applied to only this key }, ], }, Tags=GetAtt(cloudformation_tags, 'TagList'), ))
kms.Key( "rdskmskey", Description="Key for encrypting the RDS", KeyPolicy={ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow full administration of the key by the root account", "Effect": "Allow", "Principal": { "AWS": Ref(key_admin_arn), }, "Action": ["kms:*"], "Resource": "*" }, { "Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS", "Effect": "Allow", "Principal": { "AWS": "*" }, "Condition": { "StringEquals": { "kms:CallerAccount": Ref('AWS::AccountId'), "kms:ViaService": Join( "", ["rds.", Ref('AWS::Region'), ".amazonaws.com"]) } }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*" }, ] }))
from awacs.aws import Action, Allow, PolicyDocument, Principal, Statement from template import t from troposphere import AWS_ACCOUNT_ID, Join, Ref, kms print(' adding KMS key') key_policy = PolicyDocument( Version="2012-10-17", Statement=[ Statement( Sid="1", Effect=Allow, Principal=Principal( "AWS", Join(":", ["arn:aws:iam:", Ref(AWS_ACCOUNT_ID), "root"]) ), Action=[Action("kms", "*")], Resource=["*"] ) ] ) kms_key = t.add_resource( kms.Key( "HyP3KMSKey", Description="KMS Key used by HyP3 to encrypt sensitive data", KeyPolicy=key_policy ) )