How to use @aws-cdk/aws-kms - 6 common examples

To help you get started, we’ve selected a few @aws-cdk/aws-kms examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github aws / aws-cdk / packages / @aws-cdk / aws-glue / lib / table.ts View on Github external
function createBucket(table: Table, props: TableProps) {
  const encryption = props.encryption || TableEncryption.UNENCRYPTED;
  let bucket = props.bucket;

  if (bucket && (encryption !== TableEncryption.UNENCRYPTED && encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
    throw new Error('you can not specify encryption settings if you also provide a bucket');
  }

  let encryptionKey: kms.IKey | undefined;
  if (encryption === TableEncryption.CLIENT_SIDE_KMS && props.encryptionKey === undefined) {
    // CSE-KMS should behave the same as SSE-KMS - use the provided key or create one automatically
    // Since Bucket only knows about SSE, we repeat the logic for CSE-KMS at the Table level.
    encryptionKey = new kms.Key(table, 'Key');
  } else {
    encryptionKey = props.encryptionKey;
  }

  // create the bucket if none was provided
  if (!bucket) {
    if (encryption === TableEncryption.CLIENT_SIDE_KMS) {
      bucket = new s3.Bucket(table, 'Bucket');
    } else {
      bucket = new s3.Bucket(table, 'Bucket', {
        encryption: encryptionMappings[encryption],
        encryptionKey
      });
      encryptionKey = bucket.encryptionKey;
    }
  }
github aws / aws-cdk / packages / @aws-cdk / aws-kinesis / lib / stream.ts View on Github external
} {

    // default to unencrypted.
    const encryptionType = props.encryption || StreamEncryption.UNENCRYPTED;

    // if encryption key is set, encryption must be set to KMS.
    if (encryptionType !== StreamEncryption.KMS && props.encryptionKey) {
      throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS (value: ${encryptionType})`);
    }

    if (encryptionType === StreamEncryption.UNENCRYPTED) {
      return { streamEncryption: undefined, encryptionKey: undefined };
    }

    if (encryptionType === StreamEncryption.KMS) {
      const encryptionKey = props.encryptionKey || new kms.Key(this, 'Key', {
        description: `Created by ${this.node.path}`
      });

      const streamEncryption: CfnStream.StreamEncryptionProperty = {
        encryptionType: 'KMS',
        keyId: encryptionKey.keyArn
      };
      return { encryptionKey, streamEncryption };
    }

    throw new Error(`Unexpected 'encryptionType': ${encryptionType}`);
  }
}
github aws / aws-cdk / packages / @aws-cdk / aws-codepipeline / lib / cross-region-support-stack.ts View on Github external
import * as kms from '@aws-cdk/aws-kms';
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';

const REQUIRED_ALIAS_PREFIX = 'alias/';

/**
 * A class needed to work around CodePipeline's extremely small (100 characters)
 * limit for the name/ARN of the key in the ArtifactStore.
 * Limits the length of the alias' auto-generated name to 50 characters.
 */
class AliasWithShorterGeneratedName extends kms.Alias {
  protected generatePhysicalName(): string {
    let baseName = super.generatePhysicalName();
    if (baseName.startsWith(REQUIRED_ALIAS_PREFIX)) {
      // remove the prefix, because we're taking the last characters of the name below
      baseName = baseName.substring(REQUIRED_ALIAS_PREFIX.length);
    }
    const maxLength = 50 - REQUIRED_ALIAS_PREFIX.length;
    // take the last characters, as they include the hash,
    // and so have a higher chance of not colliding
    return REQUIRED_ALIAS_PREFIX + lastNCharacters(baseName, maxLength);
  }
}

function lastNCharacters(str: string, n: number) {
  const startIndex = Math.max(str.length - n, 0);
  return str.substring(startIndex);
github aws / aws-cdk / packages / @aws-cdk / aws-secretsmanager / lib / secret.ts View on Github external
const result = iam.Grant.addToPrincipal({
      grantee,
      actions: ['secretsmanager:GetSecretValue'],
      resourceArns: [this.secretArn],
      scope: this
    });
    if (versionStages != null && result.principalStatement) {
      result.principalStatement.addCondition('ForAnyValue:StringEquals', {
        'secretsmanager:VersionStage': versionStages
      });
    }

    if (this.encryptionKey) {
      // @see https://docs.aws.amazon.com/fr_fr/kms/latest/developerguide/services-secrets-manager.html
      this.encryptionKey.grantDecrypt(
        new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, grantee.grantPrincipal)
      );
    }

    return result;
  }
github aws / aws-cdk / packages / @aws-cdk / aws-codepipeline / lib / cross-region-support-stack.ts View on Github external
constructor(scope: cdk.Construct, id: string) {
    super(scope, id);

    const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
    const encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
      targetKey: encryptionKey,
      aliasName: cdk.PhysicalName.GENERATE_IF_NEEDED,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
    this.replicationBucket = new s3.Bucket(this, 'CrossRegionCodePipelineReplicationBucket', {
      bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
      encryptionKey: encryptionAlias,
    });
  }
}
github aws / aws-cdk / packages / @aws-cdk / aws-sqs / lib / queue.ts View on Github external
if (encryption === QueueEncryption.UNENCRYPTED) {
        return { encryptionProps: {} };
      }

      if (encryption === QueueEncryption.KMS_MANAGED) {
        return {
          encryptionProps: {
            kmsMasterKeyId: 'alias/aws/sqs',
            kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
          }
        };
      }

      if (encryption === QueueEncryption.KMS) {
        const masterKey = props.encryptionMasterKey || new kms.Key(this, 'Key', {
          description: `Created by ${this.node.path}`
        });

        return {
          encryptionMasterKey: masterKey,
          encryptionProps: {
            kmsMasterKeyId: masterKey.keyArn,
            kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
          }
        };
      }

      throw new Error(`Unexpected 'encryptionType': ${encryption}`);
    }
  }

@aws-cdk/aws-kms

The CDK Construct Library for AWS::KMS

Apache-2.0
Latest version published 2 years ago

Package Health Score

70 / 100
Full package analysis