Skip to content

Kms support #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iakov-gan merged 9 commits into from
Jan 13, 2025
Merged

Kms support #271

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
808d300
Add support for KMS Keys in Data Collection
marcodb-aws Jan 9, 2025
69924f2
Add for KMS Support - add support on each module
marcodb-aws Jan 12, 2025
41bbdbe
Fix Wrong Position of Parameters
marcodb-aws Jan 12, 2025
ed7d16d
add output for sample policy
marcodb-aws Jan 13, 2025
6cb9545
fix condition
marcodb-aws Jan 13, 2025
89a6963
integrate kms decrypt to access policy for QS
iakov-gan Jan 13, 2025
751c2e2
Add Resource Prefix
marcodb-aws Jan 13, 2025
800a4a9
Reduce number of KMS policy similar
marcodb-aws Jan 13, 2025
d77d354
remove trailing whitespace
iakov-gan Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions data-collection/deploy/account-collector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ Parameters:
DestinationBucketARN:
Type: String
Description: ARN of the S3 Bucket that exists or needs to be created to hold rightsizing information
DataBucketsKmsKeysArns:
Type: String
Description: "ARNs of KMS Keys for data buckets and/or Glue Catalog. Comma separated list, no spaces. Keep empty if data Buckets and Glue Catalog are not Encrypted with KMS. You can also set it to '*' to grant decrypt permission for all the keys."
Default: ""
Outputs:
LambdaFunctionName:
Value: !Ref LambdaFunction
Expand All @@ -26,6 +30,8 @@ Outputs:
Value: !GetAtt LambdaFunction.Arn
Export:
Name: !Sub ${ResourcePrefix}AccountCollectorLambdaARN
Conditions:
NeedDataBucketsKms: !Not [ !Equals [ !Ref DataBucketsKmsKeysArns, "" ] ]
Resources:
LambdaRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -88,6 +94,18 @@ Resources:
- "s3:PutObject"
Resource:
- !Sub "${DestinationBucketARN}/*"
- !If
- NeedDataBucketsKms
- PolicyName: "KMS"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "kms:GenerateDataKey"
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
- !Ref AWS::NoValue

Metadata:
cfn_nag:
rules_to_suppress:
Expand Down
73 changes: 67 additions & 6 deletions data-collection/deploy/deploy-data-collection.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ Metadata:
- Schedule
- ScheduleFrequent
- CFNSourceBucket
- DataBucketsKmsKeysArns
- Label:
default: 'Available modules'
Parameters:
Expand Down Expand Up @@ -57,6 +58,8 @@ Metadata:
default: "Role Prefix"
CFNSourceBucket:
default: "DO NOT CHANGE - A bucket that contains WA-Labs CloudFormation templates. Must be always 'aws-managed-cost-intelligence-dashboards'"
DataBucketsKmsKeysArns:
default: ""
IncludeTAModule:
default: 'Include AWS Trusted Advisor Data Collection Module'
IncludeRightsizingModule:
Expand Down Expand Up @@ -160,6 +163,10 @@ Parameters:
Type: String
Description: "DO NOT CHANGE - A bucket that contains WA-Labs CloudFormation templates. Must be always 'aws-managed-cost-intelligence-dashboards'"
Default: "aws-managed-cost-intelligence-dashboards"
DataBucketsKmsKeysArns:
Type: String
Description: "ARNs of KMS Keys for data buckets and/or Glue Catalog. Comma separated list, no spaces. Keep empty if data Buckets and Glue Catalog are not Encrypted with KMS. You can also set it to '*' to grant decrypt permission for all the keys."
Default: ""
IncludeTAModule:
Type: String
Description: Collects AWS Trusted Advisor recommendations data
Expand Down Expand Up @@ -290,6 +297,7 @@ Conditions:
- !Join [ '', !Split [ ' ', !Ref RegionsInScope ] ] # remove spaces
- ""
ProdCFNTemplateUsed: !Equals [ !Ref CFNSourceBucket, 'aws-managed-cost-intelligence-dashboards' ]
NeedDataBucketsKms: !Not [ !Equals [ !Ref DataBucketsKmsKeysArns, "" ] ]

Resources:
S3Bucket:
Expand Down Expand Up @@ -394,12 +402,17 @@ Resources:
- s3:GetObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${DestinationBucket}${AWS::AccountId}/*"
## Uncomment if bucket is encrypted by Custom KMS Key
#- Effect: Allow
# Action:
# - kms:Decrypt
# Resource:
# - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/key-id"
- !If
- NeedDataBucketsKms
- PolicyName: "KMS"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "kms:Decrypt"
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
- !Ref AWS::NoValue
- PolicyName: "Glue"
PolicyDocument:
Version: "2012-10-17"
Expand Down Expand Up @@ -460,6 +473,7 @@ Resources:
- sts:AssumeRole
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

LambdaAnalytics:
Type: AWS::Lambda::Function
Properties:
Expand Down Expand Up @@ -556,6 +570,25 @@ Resources:
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}"
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*"

KmsPolicyForCidResources:
Type: AWS::IAM::Policy
Condition: NeedDataBucketsKms
Properties:
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionKmsDecryption"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'kms:Decrypt'
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
Roles:
- !Ref LambdaInitRole
- !Ref StepFunctionExecutionRole
- !Ref LambdaManageGlueTableRole
- !Ref GlueRole

LambdaInit:
Type: AWS::Lambda::Function
Properties:
Expand Down Expand Up @@ -680,6 +713,7 @@ Resources:
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}"
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*"

LambdaManageGlueTable:
Type: AWS::Lambda::Function
Properties:
Expand Down Expand Up @@ -894,6 +928,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-trusted-advisor.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
Expand All @@ -914,6 +949,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-cost-explorer-rightsizing.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
Expand All @@ -934,6 +970,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-cost-anomaly.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
Expand All @@ -955,6 +992,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-support-cases.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
Expand All @@ -975,6 +1013,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-backup.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
Expand All @@ -997,6 +1036,7 @@ Resources:
DatabaseName: !Ref DatabaseName
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
GlueRoleARN: !GetAtt GlueRole.Arn
MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
Schedule: !Ref Schedule
Expand All @@ -1023,6 +1063,7 @@ Resources:
DatabaseName: !Ref DatabaseName
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
GlueRoleARN: !GetAtt GlueRole.Arn
CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
Schedule: !Ref Schedule
Expand All @@ -1045,6 +1086,7 @@ Resources:
DestinationBucket: !Ref S3Bucket
ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
ManagementAccountID: !Ref ManagementAccountID
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
Schedule: !Ref Schedule
ResourcePrefix: !Ref ResourcePrefix
BucketPrefix: !Ref DestinationBucket
Expand All @@ -1067,6 +1109,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-ecs-chargeback.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
Expand All @@ -1092,6 +1135,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-rds-usage.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
Expand All @@ -1117,6 +1161,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-organization.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
Expand All @@ -1140,6 +1185,7 @@ Resources:
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
Schedule: !Ref ScheduleFrequent
ResourcePrefix: !Ref ResourcePrefix
Expand All @@ -1157,6 +1203,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-transit-gateway.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
GlueRoleARN: !GetAtt GlueRole.Arn
Expand Down Expand Up @@ -1184,6 +1231,7 @@ Resources:
DatabaseName: !Ref DatabaseName
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
Schedule: !Ref ScheduleFrequent
GlueRoleARN: !GetAtt GlueRole.Arn
ResourcePrefix: !Ref ResourcePrefix
Expand All @@ -1200,6 +1248,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-health-events.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
Schedule: !Ref ScheduleFrequent
Expand All @@ -1220,6 +1269,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-license-manager.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
Expand All @@ -1244,6 +1294,7 @@ Resources:
DestinationBucketARN: !GetAtt S3Bucket.Arn
MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
Schedule: !Ref ScheduleFrequent
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
GlueRoleARN: !GetAtt GlueRole.Arn
ResourcePrefix: !Ref ResourcePrefix
LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
Expand All @@ -1265,6 +1316,7 @@ Resources:
TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-quicksight.yaml"
Parameters:
DatabaseName: !Ref DatabaseName
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
Schedule: !Ref ScheduleFrequent
Expand All @@ -1287,6 +1339,7 @@ Resources:
ResourcePrefix: !Ref ResourcePrefix
DestinationBucket: !Ref S3Bucket
DestinationBucketARN: !GetAtt S3Bucket.Arn
DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns

DataCollectionReadAccess:
Type: AWS::IAM::ManagedPolicy
Expand Down Expand Up @@ -1321,6 +1374,14 @@ Resources:
- s3:GetObjectVersion
Resource:
- !Sub ${S3Bucket.Arn}/*
- !If
- NeedDataBucketsKms
- Sid: AllowKmsDecrypt
Effect: "Allow"
Action:
- "kms:Decrypt"
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
- !Ref AWS::NoValue

Outputs:
Bucket:
Expand Down
18 changes: 18 additions & 0 deletions data-collection/deploy/module-aws-feeds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@ Parameters:
LambdaAnalyticsARN:
Type: String
Description: Arn of lambda for Analytics
DataBucketsKmsKeysArns:
Type: String
Description: "ARNs of KMS Keys for data buckets and/or Glue Catalog. Comma separated list, no spaces. Keep empty if data Buckets and Glue Catalog are not Encrypted with KMS. You can also set it to '*' to grant decrypt permission for all the keys."
Default: ""

Conditions:
NeedDataBucketsKms: !Not [ !Equals [ !Ref DataBucketsKmsKeysArns, "" ] ]

Resources:

Expand Down Expand Up @@ -70,6 +77,17 @@ Resources:
- "s3:PutObject"
Resource:
- !Sub "${DestinationBucketARN}/*"
- !If
- NeedDataBucketsKms
- PolicyName: "KMS"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "kms:GenerateDataKey"
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
- !Ref AWS::NoValue
Metadata:
cfn_nag:
rules_to_suppress:
Expand Down
17 changes: 17 additions & 0 deletions data-collection/deploy/module-backup.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ Parameters:
Type: String
Description: Name of the Athena database to be created to hold lambda information
Default: optimization_data
DataBucketsKmsKeysArns:
Type: String
Description: KMS Key ARNs used for encrypting data in S3 buckets (comma separated)
DestinationBucket:
Type: String
Description: Name of the S3 Bucket that exists or needs to be created to hold backup information
Expand Down Expand Up @@ -62,6 +65,9 @@ Mappings:
CopyJobs:
path: copy-jobs

Conditions:
NeedDataBucketsKms: !Not [!Equals [!Ref DataBucketsKmsKeysArns, '']]

Resources:
LambdaRole:
Type: AWS::IAM::Role
Expand All @@ -80,6 +86,17 @@ Resources:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Path: /
Policies:
- !If
- NeedDataBucketsKms
- PolicyName: "KMS"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "kms:GenerateDataKey"
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
- !Ref AWS::NoValue
- PolicyName: !Sub "${CFDataName}-ManagementAccount-LambdaRole"
PolicyDocument:
Version: "2012-10-17"
Expand Down
Loading
Loading