AWS KMS multi-region keys

I am a huge fan of AWS multi-region KMS keys and, especially, the ability to replicate them in multiple AWS regions. I first wrote about KMS multi-region keys as part of a description of how to use them to create encrypted EBS snapshots that could be easily replicated via DLM.

This post offers two CloudFormation templates that allow you to define a KMS multi-region key and an associated replica. You can do this in the AWS console, of course, but I wasn’t able to find a good example of how to do this in a DevOps infrastructure-as-code way. So I wrote my own.

The two templates are easy enough to understand. Here are some usage notes:

  • The names refer to DLM but this is only because I intended to create keys for DLM use as described in my earlier post. You can use these CloudFormation templates as a model for any use to which multi-region KMS keys may be used.
  • Note that the real value of the multi-region key is in the ability to use the same alias for the key no matter which region it’s defined in. That’s why the AWS::KMS:Alias type in the two CloudFormation templates use the same name. One file — the first one you need to run– defines the primary key; the other defines the replica key in a different AWS region. To take advantage of using the same alias in all regions, both files create the same alias for the primary and replica keys.
  • Note that in the replica key definition template, I hard-coded the ARN of the primary key which is in the other region. You might wonder why, since you’d assume this should be a parameter that is an output of the primary key template. The ARN of the primary key is, in fact, an output of the primary key definition template. But you cannot use an output of one CloudFormation template as an input to a stack run in a different region. So, this is one of those rare cases where you can (and actually must) hard code a CloudFormation property.

I hope you find these useful.

This template creates a multi-region primary key and alias in a single region.

AWSTemplateFormatVersion: "2010-09-09"
Description: "This stack produces a multi-region PRIMARY KMS key used to encrypt DLM-generated AMIs. This is required so that an AMI's volumes and snapshots be both encrypted and useable in both us-gov-west-1 and us-gov-east-1.
(c) 2022 Air11 Technology LLC -- licensed under the Apache OpenSource 2.0 license, https://opensource.org/licenses/Apache-2.0" 
Parameters: {}
Metadata: {}
Conditions: {}
Resources:
  KmsKey:
    Type: "AWS::KMS::Key"
    Properties:
      Description: "KMS key for encrypting DLM AMIs"
      EnableKeyRotation: true
      MultiRegion: true
      PendingWindowInDays: 7
      KeyPolicy:
        Version: "2012-10-17"
        Id: "DlmKmsKeyPolicy"
        Statement:
          - Sid: "Multi-region KMS key for encrypting DLM AMIs"
            Effect: "Allow"
            Principal:
              AWS:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:iam::"
                    - Ref: "AWS::AccountId"
                    - ":root"
            Action: "kms:*"
            Resource: "*"
      Tags:
      - Key: Name
        Value: DlmKmsKey
  KmsKeyAliasKmsKey:
    Type: "AWS::KMS::Alias"
    Properties:
      AliasName: "alias/DlmKmsKeyAlias"
      TargetKeyId:
        Ref: "KmsKey"
Outputs:
  DlmKmsKeyArn:
    Description: "ARN for the primary DLM KMS key"
    Value: !GetAtt [ KmsKey, Arn ]
    Export: 
      Name: "DlmKmsKeyArn"

This template creates a replica of the primary key using the same alias as created above in a different AWS region when the ARN of the primary key is specified in the PrimaryKeyArn property of `AWS::KMS::ReplicaKey`

AWSTemplateFormatVersion: "2010-09-09"
Description: "This stack produces a multi-region KMS REPLICA key in a single region used to encrypt DLM-generated AMIs. This is required so that the AMI's volumes and snapshots may be both encrypted and useable in multiple regions. This REQUIRES the ARN of the primary key, which should be in the outputs of the template used to create the primary key. The replica CANNOT be defined in the same region as the primary key.
(c) 2022 Air11 Technology LLC -- licensed under the Apache OpenSource 2.0 license, https://opensource.org/licenses/Apache-2.0" 
Parameters: {}
Metadata: {}
Conditions: {}
Resources:
  ReplicaKmsKey:
    Type: "AWS::KMS::ReplicaKey"
    Properties:
      Description: "Multi-region KMS key for encrypting DLM AMIs"
      PrimaryKeyArn: "arn:aws:kms:us-east-2:1234567890ABC:key/mrk-b1d9508f76ad429db6411f489412b3b2"
      PendingWindowInDays: 7
      KeyPolicy:
        Version: "2012-10-17"
        Id: "DlmKmsReplicaKeyPolicy"
        Statement:
          - Sid: "Multi-region KMS replica for encrypting DLM AMIs"
            Effect: "Allow"
            Principal:
              AWS:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:iam::"
                    - Ref: "AWS::AccountId"
                    - ":root"
            Action: "kms:*"
            Resource: "*"
      Tags:
      - Key: Name
        Value: DlmKmsKeyAlias
  ReplicaKmsKeyAlias:
    Type: "AWS::KMS::Alias"
    Properties:
      AliasName: "alias/DlmKmsKeyAlias"
      TargetKeyId:
        Ref: "ReplicaKmsKey"
Outputs: {}

Posted

in

,

by

Alex Neihaus

Tags:

, ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *