@aws-cdk/aws-kms

AWS Key Management Service Construct Library

---

---

Define a KMS key:

import kms = require('@aws-cdk/aws-kms');

new kms.Key(this, 'MyKey', {
    enableKeyRotation: true
});

Add a couple of aliases:

const key = new kms.Key(this, 'MyKey');
key.addAlias('alias/foo');
key.addAlias('alias/bar');

Sharing keys between stacks

see Trust Account Identities for additional details

To use a KMS key in a different stack in the same CDK application, pass the construct to the other stack:

sharing key between stacks

Importing existing keys

see Trust Account Identities for additional details

To use a KMS key that is not defined in this CDK app, but is created through other means, use Key.fromKeyArn(parent, name, ref):

const myKeyImported = kms.Key.fromKeyArn(this, 'MyImportedKey', 'arn:aws:...');

// you can do stuff with this imported key.
myKeyImported.addAlias('alias/foo');

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key's policy because it is not owned by your stack. The call will be a no-op.

Trust Account Identities

KMS keys can be created to trust IAM policies. This is the default behavior in the console and is described here. This same behavior can be enabled by:

new Key(stack, 'MyKey', { trustAccountIdentities: true });

Using trustAccountIdentities solves many issues around cyclic dependencies between stacks. The most common use case is creating an S3 Bucket with CMK default encryption which is later accessed by IAM roles in other stacks.

stack-1 (bucket and key created)

// ... snip
const myKmsKey = new kms.Key(this, 'MyKey', { trustAccountIdentities: true });

const bucket = new Bucket(this, 'MyEncryptedBucket', {
    bucketName: 'myEncryptedBucket',
    encryption: BucketEncryption.KMS,
    encryptionKey: myKmsKey
});

stack-2 (lambda that operates on bucket and key)

// ... snip

const fn = new lambda.Function(this, 'MyFunction', {
  runtime: lambda.Runtime.NODEJS_10_X,
  handler: 'index.handler',
  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
});

const bucket = s3.Bucket.fromBucketName(this, 'BucketId', 'myEncryptedBucket');

const key = kms.Key.fromKeyArn(this, 'KeyId', 'arn:aws:...'); // key ARN passed via stack props

bucket.grantReadWrite(fn);
key.grantEncryptDecrypt(fn);

The challenge in this scenario is the KMS key policy behavior. The simple way to understand this, is IAM policies for account entities can only grant the permissions granted to the account root principle in the key policy. When trustAccountIdentities is true, the following policy statement is added:

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
  "Action": "kms:*",
  "Resource": "*"
}

As the name suggests this trusts IAM policies to control access to the key. If account root does not have permissions to the specific actions, then the key policy and the IAM policy for the entity (e.g. Lambda) both need to grant permission.

Changelog

1.36.0 (2020-04-28)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• stepfunctions-tasks: payload in RunLambdaTask is now of type TaskInput and has a default of the state input instead of the empty object. You can migrate your current assignment to payload by supplying it to the TaskInput.fromObject() API

Features

• apigateway: gateway responses (#7441) (b0a65c1), closes #7071
• aws-ecs: add support for IPC and PID Mode for EC2 Task Definitions (1ee629e), closes #7186

Bug Fixes

• apigateway: authorizer is not attached to RestApi across projects (#7596) (1423c53), closes #7377
• cli: can't bootstrap environment not in app (9566cca)
• cli: context keys specified in cdk.json get moved to cdk.context.json (022eb66), closes #7399
• dynamodb: grant() is not available on ITable (#7618) (3b0a397), closes #7473
• dynamodb: grantXxx() does not grant in replication regions (98429e0), closes #7362
• eks: version update completes prematurely (#7526) (307c8b0), closes #7457
• stepfunctions-tasks: cannot specify part of execution data or task context as input to the RunLambda service integration (#7428) (a1d9884), closes #7371