Attention
In production, if you plan to use a KMS Key, we highly recommend to create that KMS key separately and use Lookup to use the key where appropriate.
x-kms ¶
x-kms:
key-logical-name:
Properties: {}
Lookup: {}
Settings: {}
MacroParameters: {}
This module allows you to specify new and existing KMS Keys you wish to either grant access to your services, or, link to your other AWS Resources (such as S3, SQS etc.) which would also automatically grant permission to services accessing these.
Services ¶
List of key/pair values, as for other ECS ComposeX x-resources.
x-kms:
keyA:
Properties: {}
Services:
serviceA
Access: EncryptDecrypt
serviceB:
Access: DecryptOnly
Access ¶
Here are pre-defined IAM permissions to use for your KMS Key.
-
EncryptDecrypt
-
EncryptOnly
-
DecryptOnly
-
SQS
{
"SQS": {
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": [
"${ARN}"
]
},
"DecryptOnly": {
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": [
"${ARN}"
]
},
"EncryptOnly": {
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": [
"${ARN}"
]
},
"EncryptDecrypt": {
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": [
"${ARN}"
]
},
"kinesis_firehose": {
"Direct": {
"Effect": "Allow",
"Resource": [
"${ARN}"
],
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
},
"s3": {
"Effect": "Allow",
"Resource": [
"${ARN}"
],
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
]
}
}
}
ReturnValues ¶
See the AWS KMS Key return values from AWS CFN Documentation . The value for Ref can be accessed with KeyId
Properties ¶
All properties are supported. See AWS CFN KMS Key Documentation for the full details.
MacroParameters ¶
Alias ¶
You can define Alias which will create an Alias along with the KMS Key. The alias name must be a string, not starting with alias/aws or aws. If you specify a an alias starting with alias/ then the string will be used as is, if you only specify a short name, then the alias will be prefixed with the RootStack name and region.
Examples ¶
x-kms:
keyA:
Properties:
PendingWindowInDays: 14
Services:
serviceA:
Access: EncryptDecrypt
serviceB:
Access: EncryptDecrypt
Settings:
Alias: keyA
Link to other x-resources ¶
You can currently use x-kms::<key name> with the following AWS Resources defined in your docker-compose files.
Note
This only applies to new resources that will be provisioned within the compose-x stack. Existing resources looked up, such as x-s3, if have a KMS Key, the services that need access to the bucket will automatically be granted least privileges access to the key as well.
x-s3 ¶
x-kms:
s3-encryption-key: # New key
Properties: {}
Settings:
Alias: alias/s3-encryption-key
keyC: # Existing key, lookup
Lookup:
Tags:
- name: cicd
- costcentre: lambda
Services:
- name: app03
access: EncryptDecrypt
- name: bignicefamily
access: DecryptOnly
x-s3:
bucket-01:
Properties:
BucketName: bucket-01
AccessControl: BucketOwnerFullControl
ObjectLockEnabled: True
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: False
AccelerateConfiguration:
AccelerationStatus: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "aws:kms"
KMSMasterKeyID: x-kms::keyC
VersioningConfiguration:
Status: "Enabled"
bucket-03:
Properties:
BucketName: bucket-03
AccessControl: BucketOwnerFullControl
ObjectLockEnabled: True
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: False
AccelerateConfiguration:
AccelerationStatus: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: x-kms::s3-encryption-key
VersioningConfiguration:
Status: "Enabled"
x-sqs ¶
x-kms:
keyA: # New key
Properties: {}
keyC: # Lookup key
Lookup:
Tags:
- name: cicd
- costcentre: lambda
x-sqs:
queue01:
Properties:
KmsMasterKeyId: x-kms::keyC
RedrivePolicy:
deadLetterTargetArn: queueA
maxReceiveCount: 10
queue02:
Properties:
KmsMasterKeyId: x-kms::keyA
x-cluster ¶
See ecs_cluster_syntax_reference for full details.
JSON Schema ¶
Model ¶
x-kms ¶
x-kms.spec.json |
|||
x-kms specification |
|||
type |
object |
||
properties |
|||
|
x-resources.common.spec.json#/definitions/Lookup |
||
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html |
||
type |
object |
||
|
x-resources.common.spec.json#/definitions/Settings |
||
|
x-resources.common.spec.json#/definitions/Services |
||
|
type |
object |
|
properties |
|||
|
type |
string |
|
additionalProperties |
False |
Definition ¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"id": "x-kms.spec.json",
"$id": "x-kms.spec.json",
"title": "x-kms",
"description": "x-kms specification",
"type": "object",
"additionalProperties": false,
"properties": {
"Lookup": {
"$ref": "x-resources.common.spec.json#/definitions/Lookup"
},
"Properties": {
"type": "object",
"description": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html"
},
"Settings": {
"$ref": "x-resources.common.spec.json#/definitions/Settings"
},
"Services": {
"$ref": "x-resources.common.spec.json#/definitions/Services"
},
"MacroParameters": {
"type": "object",
"properties": {
"Alias": {
"type": "string"
}
}
}
}
}
Test files ¶
You can find the test files here to use as reference for your use-case.