added at rest encryption to DynamoDB and Elasticsearch

zeroc0d3 · May 25, 2018 · f6dffe8 · f6dffe8
1 parent 9c2a68e
commit f6dffe8
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 7 deletions.
diff --git a/docs/state.md b/docs/state.md
@@ -39,7 +39,7 @@ DynamoDB table with auto scaling for read and write capacity.
 
 ## Limitations
 * No backup (see `operations/backup-dynamodb-native.yaml`)
-* No encryption at rest
+* Encryption at rest with AWS managed CMK (customer managed is not supported)
 
 # ElastiCache memcached
 
@@ -95,7 +95,6 @@ Cluster of Elasticsearch nodes.
 
 ## Limitations
 * No auto scaling
-* No encryption at rest
 
 # RDS Aurora
 

diff --git a/state/dynamodb.yaml b/state/dynamodb.yaml
@@ -85,14 +85,20 @@ Parameters:
     Description: 'Target read capacity utilization (in percent) that auto scaling tries to achieve (if you have spiky reads, a lower number is better).'
     Type: Number
     Default: 80
+  Encryption:
+    Description: 'Enable server side encryption using KMS (AWS managed) CMK.'
+    Type: String
+    Default: false
+    AllowedValues: [aws, false]
 Conditions:
   HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
   HasSortKey: !Not [!Equals [!Ref SortKeyName, '']]
   HasTableName: !Not [!Equals [!Ref TableName, '']]
+  HasAwsManagedEncryption: !Equals [!Ref Encryption, aws]
 Resources:
   Table:
     Type: 'AWS::DynamoDB::Table'
-    Properties: # TODO add SSESpecification as soon as DynamoDB supports CMK and update docs
+    Properties:
       TableName: !If [HasTableName, !Ref TableName, !Ref 'AWS::NoValue']
       AttributeDefinitions: !If
       - HasSortKey
@@ -113,6 +119,8 @@ Resources:
       ProvisionedThroughput:
         ReadCapacityUnits: !Ref MinReadCapacityUnits
         WriteCapacityUnits: !Ref MinWriteCapacityUnits
+      SSESpecification:
+        SSEEnabled: !If [HasAwsManagedEncryption, true, false]
   RoleScaling:
     Type: 'AWS::IAM::Role'
     Properties:

diff --git a/state/elasticsearch.yaml b/state/elasticsearch.yaml
@@ -87,13 +87,19 @@ Parameters:
     Description: 'Name that is used to create the DNS entry ${SubDomainName}.${HostedZoneName} (required when ParentZoneStack is set, otherwise not considered)'
     Type: String
     Default: elasticsearch
+  Encryption:
+    Description: 'Enable server side encryption using KMS (customer managed) CMK. Only works with certain instance types (https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html)'
+    Type: String
+    Default: false
+    AllowedValues: [true, false]
 Conditions:
   HasZone: !Not [!Equals [!Ref ParentZoneStack, '']]
   HasSSHBastionSecurityGroup: !Not [!Equals [!Ref ParentSSHBastionStack, '']]
   HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
   HasSingleClusterInstance: !Equals [!Ref ClusterInstanceCount, '1']
   HasDedicatedMasterNodes: !Not [!Equals [!Ref DedicatedMasterCount, 0]]
   HasAlertTopicAndNotSingleClusterInstance: !And [!Condition HasAlertTopic, !Not [!Condition HasSingleClusterInstance]]
+  HasEncryption: !Equals [!Ref Encryption, true]
 Resources:
   RecordSet:
     Condition: HasZone
@@ -132,9 +138,43 @@ Resources:
       ToPort: 443
       SourceSecurityGroupId:
         'Fn::ImportValue': !Sub '${ParentSSHBastionStack}-SecurityGroup'
+  Key:
+    Condition: HasEncryption
+    Type: 'AWS::KMS::Key'
+    Properties:
+      KeyPolicy:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+          Action: 'kms:*'
+          Resource: '*'
+        - Effect: Allow
+          Principal:
+            AWS: '*'
+          Action:
+          - 'kms:Encrypt'
+          - 'kms:Decrypt'
+          - 'kms:ReEncrypt*'
+          - 'kms:GenerateDataKey*'
+          - 'kms:CreateGrant'
+          - 'kms:ListGrants'
+          - 'kms:DescribeKey'
+          Resource: '*'
+          Condition:
+            StringEquals:
+              'kms:CallerAccount': !Ref 'AWS::AccountId'
+              'kms:ViaService': !Sub 'es.${AWS::Region}.amazonaws.com'
+  KeyAlias:
+    Condition: HasEncryption
+    Type: 'AWS::KMS::Alias'
+    Properties:
+      AliasName: !Sub 'alias/${AWS::StackName}'
+      TargetKeyId: !Ref Key
   ElasticsearchDomain:
     Type: 'AWS::Elasticsearch::Domain'
-    Properties: # TODO add EncryptionAtRestOptions as soon as available in CloudFormation and update docs
+    Properties:
       AccessPolicies:
         Version: '2012-10-17'
         Statement:
@@ -157,6 +197,7 @@ Resources:
         InstanceType: !Ref ClusterInstanceType
         ZoneAwarenessEnabled: !If [HasSingleClusterInstance, false, true]
       ElasticsearchVersion: '5.5'
+      EncryptionAtRestOptions: !If [HasEncryption, {Enabled: true, KmsKeyId: !Ref Key}, !Ref 'AWS::NoValue']
       SnapshotOptions:
         AutomatedSnapshotStartHour: 10
       VPCOptions:

diff --git a/state/rds-aurora.yaml b/state/rds-aurora.yaml
@@ -83,7 +83,7 @@ Parameters:
     Type: String
     Default: aurora
   Encryption:
-    Description: 'Enable server side encryption using KMS CMK key.'
+    Description: Description: 'Enable server side encryption using KMS (customer managed) CMK.'
     Type: String
     Default: false
     AllowedValues: [true, false]

diff --git a/state/rds-postgres.yaml b/state/rds-postgres.yaml
@@ -96,7 +96,7 @@ Parameters:
     Type: String
     Default: postgres
   Encryption:
-    Description: 'Enable server side encryption using KMS CMK key.'
+    Description: Description: 'Enable server side encryption using KMS (customer managed) CMK.'
     Type: String
     Default: false
     AllowedValues: [true, false]

diff --git a/state/s3.yaml b/state/s3.yaml
@@ -46,7 +46,7 @@ Parameters:
     Default: 0
     MinValue: 0
   Encryption:
-    Description: 'Enable server side encryption using KMS CMK key.'
+    Description: Description: 'Enable server side encryption using KMS (customer managed) CMK.'
     Type: String
     Default: false
     AllowedValues: [true, false]