From 302a8b0b5c9ad20d11e5298c80f6cb5115dc90e6 Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 28 Sep 2021 15:23:35 -0400 Subject: [PATCH 1/4] chore: Add SNS encryption for FhirWorksAlarm --- cloudformation/alarms.yaml | 1 + cloudformation/kms.yaml | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/cloudformation/alarms.yaml b/cloudformation/alarms.yaml index bb2df33c..2a5295f2 100644 --- a/cloudformation/alarms.yaml +++ b/cloudformation/alarms.yaml @@ -579,6 +579,7 @@ Resources: Type: AWS::SNS::Topic Properties: DisplayName: !Join ['-', [FhirSolution, !Ref Stage, cloudwatch, alarm, topic]] + KmsMasterKeyId: !Ref SnsKMSKey FhirWorksAlarmSNSTopicPolicy: Type: AWS::SNS::TopicPolicy DependsOn: FhirWorksAlarmSNSTopic diff --git a/cloudformation/kms.yaml b/cloudformation/kms.yaml index f60a32d3..4a55eead 100644 --- a/cloudformation/kms.yaml +++ b/cloudformation/kms.yaml @@ -94,4 +94,34 @@ Resources: Condition: ArnLike: kms:EncryptionContext:aws:logs:arn: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:* + SnsAlias: + Type: AWS::KMS::Alias + Properties: + AliasName: !Join ['-', [alias/snsKey, !Ref Stage]] + TargetKeyId: !Ref SnsKMSKey + SnsKMSKey: + Type: AWS::KMS::Key + Properties: + EnableKeyRotation: true + Description: 'KMS CMK for SNS' + KeyPolicy: + Version: '2012-10-17' + Statement: + - Sid: 'Enable IAM Root Permissions' + Effect: Allow + Principal: + AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' + Action: 'kms:*' + Resource: '*' + - Sid: 'Allow SNS to use this Key Policy' + Effect: Allow + Principal: + Service: sns.amazonaws.com + Action: + - kms:Encrypt + - kms:Decrypt + - kms:GenerateDataKey* + Resource: '*' + + From 3279664a48911f20e2e7845468cc01744e816be1 Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 28 Sep 2021 15:28:29 -0400 Subject: [PATCH 2/4] Remove extra spaces --- cloudformation/kms.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cloudformation/kms.yaml b/cloudformation/kms.yaml index 4a55eead..52c5a498 100644 --- a/cloudformation/kms.yaml +++ b/cloudformation/kms.yaml @@ -122,6 +122,3 @@ Resources: - kms:Decrypt - kms:GenerateDataKey* Resource: '*' - - - From a218ad282fe33e088b9683211622d5f2ad06041b Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 28 Sep 2021 15:38:00 -0400 Subject: [PATCH 3/4] Allow cloudwatch to use KMS key --- cloudformation/kms.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudformation/kms.yaml b/cloudformation/kms.yaml index 52c5a498..f65a3852 100644 --- a/cloudformation/kms.yaml +++ b/cloudformation/kms.yaml @@ -113,10 +113,10 @@ Resources: AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - - Sid: 'Allow SNS to use this Key Policy' + - Sid: 'Allow Cloudwatch to use this Key Policy' Effect: Allow Principal: - Service: sns.amazonaws.com + Service: cloudwatch.amazonaws.com Action: - kms:Encrypt - kms:Decrypt From ccbdb5d0b5b25a02e55745bbc97204775da0461d Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 28 Sep 2021 21:13:33 -0400 Subject: [PATCH 4/4] Allow SNS access to KMS key as well --- cloudformation/kms.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cloudformation/kms.yaml b/cloudformation/kms.yaml index f65a3852..eb569e1a 100644 --- a/cloudformation/kms.yaml +++ b/cloudformation/kms.yaml @@ -122,3 +122,12 @@ Resources: - kms:Decrypt - kms:GenerateDataKey* Resource: '*' + - Sid: 'Allow SNS to use this Key Policy' + Effect: Allow + Principal: + Service: sns.amazonaws.com + Action: + - kms:Encrypt + - kms:Decrypt + - kms:GenerateDataKey* + Resource: '*'