-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverless-kms.yml
50 lines (48 loc) · 1.55 KB
/
serverless-kms.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
############################################################################################################
# This includes all KMS resources
#
# This encryption key is used to encrypt/decrypt temporary code grants (access, id, refresh tokens)
#
############################################################################################################
Resources:
CognitoEncryptionKey:
Type: AWS::KMS::Key
DependsOn:
IamRoleLambdaExecution
Properties:
Description: >-
Symmetric key that encrypts cognito information
EnableKeyRotation: true
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Id: ${self:custom.cognito.kmsId}
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow Lambdas
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/${self:service}-${AWS::Region}-lambda-role"
Action:
- kms:Encrypt
- kms:Decrypt
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
MultiRegion: true
PendingWindowInDays: 7
CognitoEncryptionKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName:
Fn::Sub: alias/${self:custom.cognito.kmsId}
TargetKeyId:
Ref: CognitoEncryptionKey
Outputs:
CognitoEncryptionKeyArn:
Value: !GetAtt CognitoEncryptionKey.Arn