-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathS3_KMS.yml
136 lines (129 loc) · 4.05 KB
/
S3_KMS.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
AWSTemplateFormatVersion: "2010-09-09"
Description: S3&KMS Stack
Parameters:
# ------------------------------------------------------------#
# Parameters
# ------------------------------------------------------------#
BucketName:
Type: String
IAMUserARN:
Type: String
Resources:
# ------------------------------------------------------------#
# KMS
# ------------------------------------------------------------#
KMS:
Type: AWS::KMS::Key
Properties:
Description: OAC Test
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: 'kms:*'
Resource: '*'
- Sid: 'Allow access for Key Administrators'
Effect: Allow
Principal:
AWS: !Ref IAMUserARN
Action:
- 'kms:Create*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:TagResource'
- 'kms:UntagResource'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:RevokeGrant'
Resource: '*'
- Sid: 'Allow use of the key'
Effect: Allow
Principal:
AWS: !Ref IAMUserARN
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: '*'
- Sid: 'Allow use of the key'
Effect: Allow
Principal:
Service:
- cloudfront.amazonaws.com
Action:
- 'kms:Decrypt'
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
Resource: '*'
Condition:
StringEquals:
aws:SourceArn:
- !Join
- ''
- - !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/'
- !ImportValue CloudFrontID
PendingWindowInDays: 7
# ------------------------------------------------------------#
# S3
# ------------------------------------------------------------#
S3:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
KMSMasterKeyID: !Ref KMS
SSEAlgorithm: aws:kms
BucketName: !Ref BucketName
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: "AllowCloudFrontServicePrincipal"
Effect: "Allow"
Principal:
Service:
- "cloudfront.amazonaws.com"
Action:
- "s3:GetObject"
Resource:
- !Sub ${S3.Arn}/*
Condition:
StringEquals:
AWS:SourceArn:
- !Join
- ''
- - !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/'
- !ImportValue CloudFrontID
Outputs:
# ------------------------------------------------------------#
# Outputs
# ------------------------------------------------------------#
S3:
Value: !GetAtt S3.DomainName
Export:
Name: S3