堆栈内存溢出
  简体   繁体   English

CloudFormation KMS加密问题

[英]CloudFormation KMS Encryption Questions

 原文  2018-10-25 10:55:27       amazon-web-services/ amazon-s3/ amazon-cloudformation/ aws-kms

问题描述

Given a CloudFormation template that defines: 给定一个CloudFormation模板,该模板定义:

  • A KMS Key KMS密钥
  • A KMS Key Alias KMS密钥别名
  • An S3 bucket 一个S3存储桶

If for some reason I need to delete the CloudFormation stack and re-deploy, the deletion retains the KMS Key and Alias that was created. 如果出于某种原因我需要删除CloudFormation堆栈并重新部署,则删除操作将保留创建的KMS密钥和别名。 (This is sensible, I don't want to lose my key everything was encrypted with). (这很明智,我不想丢失所有加密的密钥)。

But this means when I re-deploy the stack it fails because an Alias with that name already exists. 但这意味着当我重新部署堆栈时,它会失败,因为具有该名称的别名已经存在。

I can delete the Alias through the CLI and re-deploy which will create an Alias for a new KMS Key. 我可以通过CLI删除别名,然后重新部署,这将为新的KMS密钥创建别名。

Is there a way for the CloudFormation stack to use the existing KMS key from the initial deployment? CloudFormation堆栈是否可以使用初始部署中的现有KMS密钥?

Also: I'm not 100% clear on what would happen for encrypted data in an S3 bucket that has it's alias changed, does AWS know to automatically look for the previous KMS key it was encrypted with or does a re-encryption take place? 另外:对于别名已更改的S3存储桶中的加密数据会发生什么情况,我还是100%不清楚,AWS是否知道会自动查找使用其加密的先前KMS密钥,或者是否进行了重新加密?

2 个解决方案

解决方案1
 5 已采纳  2018-10-25 11:54:52

I suggest you have one Stack that creates only the KMS and export its value on the outputs : 我建议您有一个仅创建KMS并将其值导出到输出的 Stack: 

Resources:
  KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      ...

Outputs:
  S3KmsKeyId:
    Description: The KMS Key used
    Value: !Ref KmsKey
    Export:
      Name: S3KmsKeyId

Then you can have a second Stack that only creates the S3 Bucket, where you reference the Exported Value : 然后,您可以拥有另一个仅创建S3存储桶的堆栈,在其中您可以引用导出的值 

Resources:
  S3Bucket:
      Type: AWS::S3::Bucket
      Properties: 
        ...
        BucketEncryption:
          ServerSideEncryptionConfiguration: 
          - ServerSideEncryptionByDefault: 
              KMSMasterKeyID: !ImportValue S3KmsKeyId
              SSEAlgorithm: aws:kms

解决方案2
 0  2019-02-08 23:15:50

I was able to create an encrypted S3 bucket using a single stack: 我能够使用单个堆栈创建一个加密的S3存储桶: 

Resources:
  S3EncryptionKey:
    Type: AWS::KMS::Key
       ...

  EncrypedS3Bucket:
    Type: AWS::S3::Bucket
      Properties:
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                KMSMasterKeyID:
                  Ref: S3EncryptionKey
                SSEAlgorithm: aws:kms

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS cloudformation elasticsearch 加密在 rest(KMS 加密) - AWS cloudformation elasticsearch encryption at rest (KMS encryption) 使用 CloudFormation 模板时如何为 AWS ECR 启用 KMS 加密 - How to enable KMS encryption for AWS ECR when using CloudFormation templates CloudFormation - 无法创建 KMS - CloudFormation - Not able to create KMS 秘密密码的Kms加密 - Kms Encryption for secret password KMS加密-本地开发 - KMS Encryption - Local Development AWS KMS cloudformation模板标签 - AWS KMS cloudformation template tags 使用KMS加密和凭据进行Redshift卸载? - Redshift Unload With KMS Encryption and Credentials? 使用 AWS KMS 的确定性加密 - Deterministic encryption using AWS KMS AWS KMS 是否支持 PGP 加密? - Is PGP encryption supported in AWS KMS? CloudFormation 声称 KMS 策略声明主体无效 - CloudFormation claims KMS policy statement principals are invalid
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM