AWS KMS
Simpler access to KMS.
References
- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
Usage
Code....
import { decrypt, encrypt } from '@mu-ts/kms';
const context: {[key:string]: string} = { 'context': 'value' };
const key:string = 'key-arn' | 'key-id' | 'alias' | 'alias-arn';
const pulicSecret: string = '...';
const encryptedSecret: string = await encrypt(publicSecret, key, context);
const decryptedSecret: string = await decrypt(encryptedSecret, key, context);
Where possible, be sure to separate out your permissions so that the encryptor cant decrypt and the encryptor can't encrypt.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContext:AppName": "ExampleApp"
}
}
}
KMS Key Creation
Declare your KMS key.
Type: AWS::KMS::Key
Properties:
Description: Encryption key for transaction information.
Enabled: true
EnableKeyRotation: true
KeyUsage: ENCRYPT_DECRYPT
PendingWindowInDays: 30
KeyPolicy:
Version: '2012-10-17'
Id: this-key-policy-name
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal: # Or the specific role for the function (s) using the key
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- environment: production
- service: my-service
- stage: this-stage