@incdevco/framework

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Template for Encryption Stack", "Parameters": { "AdministratorUser": { "Type": "String" } }, "Conditions": {}, "Mappings": {}, "Resources": { "Key": { "Type": "AWS::KMS::Key", "Properties": { "Description": "", "Enabled": true, "EnableKeyRotation": false, "KeyPolicy": { "Version": "2012-10-17", "Id": "key-cf-policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["", [ "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":root" ]]} }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["", [ "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":user/", {"Ref": "AdministratorUser"} ]]} }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ {"Fn::Join": ["", [ "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":user/", {"Ref": "AdministratorUser"} ]]} ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ {"Fn::Join": ["", [ "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":user/", {"Ref": "AdministratorUser"} ]]} ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] } } } }, "Outputs": { "KeyId": { "Value": {"Ref": "Key"} } } }