x-kms¶
Syntax¶
x-kms:
keyA:
Properties: {}
Settings: {}
Services: []
Lookup: {}
Properties¶
Settings¶
Alias¶
In addition to EnvNames, for KMS, we also have Alias which will create an Alias along with the KMS Key. The alias name must be a string, not starting with alias/aws or aws. If you specify a an alias starting with alias/ then the string will be used as is, if you only specify a short name, then the alias will be prefixed with the RootStack name and region.
Examples¶
Simple key creation and link to services¶
x-kms:
keyA:
Properties:
PendingWindowInDays: 14
Services:
- name: serviceA
access: EncryptDecrypt
- name: serviceB
access: EncryptDecrypt
Settings:
Alias: keyA
Services¶
List of key/pair values, as for other ECS ComposeX x-resources.
Three access types have been created for the table:
EncryptDecrypt
EncryptOnly
DecryptOnly
SQS
KMS and Services¶
x-kms:
keyA:
Properties: {}
Services:
- name: serviceA
access: EncryptDecrypt
- name: serviceB
access: DecryptOnly
IAM Permissions¶
Three access types have been created for the table:
EncryptDecrypt
EncryptOnly
DecryptOnly
SQS
KMS Permissions scaffold¶
{
"SQS": {
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Effect": "Allow"
},
"DecryptOnly": {
"Action": [
"kms:Decrypt"
],
"Effect": "Allow"
},
"EncryptOnly": {
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow"
},
"EncryptDecrypt": {
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Effect": "Allow"
}
}