Skip to content

Commit

Permalink
Aurora Serverless (widdix#209)
Browse files Browse the repository at this point in the history 
[New Template] security/kms-key - KMS customer managed CMK for AWS services
[New Template] state/rds-aurora-serverless - RDS Aurora Serverless
[Improvement] state/rds-aurora - MySQL 5.7 and Postgres support
[Improvement] state/rds-aurora - PreferredBackupWindow and PreferredMaintenanceWindow are now configurable
[Improvement] state/rds-mysql - PreferredBackupWindow and PreferredMaintenanceWindow are now configurable
[Improvement] state/rds-postgres - PreferredBackupWindow and PreferredMaintenanceWindow are now configurable
  • Loading branch information
@michaelwittig
michaelwittig authored Nov 2, 2018
1 parent e106f42 commit 8daf899
Show file tree
Hide file tree
Showing 10 changed files with 655 additions and 25 deletions.
14 changes: 14 additions & 0 deletions docs/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,3 +170,17 @@ If you want to use an external S3 bucket, the bucket needs to have the following
```

Replace `$ExternalTrailBucket` with the name of your bucket, and add a row for every account you want to write from `$AccountId[*]`.

# KMS customer managed CMK for AWS services
This template provides a KMS customer managed CMK used by AWS services. Access control via IAM is also enabled. In case of a CMK deletion, a event is forwarded to the `ParentAlertStack` (if specified).

> ATTENTION: If you delete a stack based on this template, the KMS CMK is NOT deleted to prevent data loss! Mark the CMK for deletion if you really want to delete the CMK! All resources encrypted with the CMK (including RDS snapshots) are unusable after the deletion!
## Installation Guide
1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=kms-key&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/security/kms-key.yaml)
1. Click **Next** to proceed with the next step of the wizard.
1. Specify a name and all parameters for the stack.
1. Click **Next** to proceed with the next step of the wizard.
1. Click **Next** to skip the **Options** step of the wizard.
1. Click **Create** to start the creation of the stack.
1. Wait until the stack reaches the state **CREATE_COMPLETE**
25 changes: 25 additions & 0 deletions docs/state.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,31 @@ Two node Aurora cluster for HA.
## Limitations
* No auto scaling

# RDS Aurora Serverless

Aurora Serverless cluster.

## Installation Guide
1. This templates depends on one of our `vpc-*azs.yaml` templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-2azs.yaml)
1. This templates depends on the `client-sg.yaml` template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=client-sg&param_ParentVPCStack=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/state/client-sg.yaml)
1. This templates depends on the `kms-key.yaml` template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=kms-key&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/security/kms-key.yaml)
1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=rds-aurora&param_ParentVPCStack=vpc-2azs&param_ParentClientStack=client-sg&param_ParentKmsKeyStack=kms-key&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/state/rds-aurora.yaml)
1. Click **Next** to proceed with the next step of the wizard.
1. Specify a name and all parameters for the stack.
1. Click **Next** to proceed with the next step of the wizard.
1. Click **Next** to skip the **Options** step of the wizard.
1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox.
1. Click **Create** to start the creation of the stack.
1. Wait until the stack reaches the state **CREATE_COMPLETE**

## Dependencies
* `vpc/vpc-*azs.yaml` (**required**)
* `state/client-sg.yaml` (**required**)
* `security/kms-key.yaml` (**required**)
* `vpc/zone-*.yaml`
* `vpc/vpc-*-bastion.yaml`
* `operations/alert.yaml` (recommended)

# RDS MySQL

Multi-AZ MySQL for HA.
Expand Down
137 changes: 137 additions & 0 deletions security/kms-key.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
---
# Copyright 2018 widdix GmbH
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: KMS customer managed CMK for AWS services, a cloudonaut.io template'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'Parent Stacks'
Parameters:
- ParentAlertStack
- Label:
default: 'KMS Parameters'
Parameters:
- Service
Parameters:
ParentAlertStack:
Description: 'Optional but recommended stack name of parent alert stack based on operations/alert.yaml template.'
Type: String
Default: ''
Service:
Description: 'Which AWS service is allowed to use this CMK?'
Type: String
AllowedValues:
- 'ALL_SERVICES'
- connect
- dms
- ssm
- ec2
- elasticfilesystem
- es
- kinesis
- kinesisvideo
- lambda
- lex
- redshift
- rds
- secretsmanager
- ses
- s3
- importexport
- sqs
- workmail
- workspaces
Default: ALL_SERVICES
Conditions:
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
HasServiceAllServices: !Equals [!Ref Service, 'ALL_SERVICES']
Resources:
Key:
DeletionPolicy: Retain
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
Condition:
StringEquals: !If
- HasServiceAllServices
- 'kms:CallerAccount': !Ref 'AWS::AccountId'
- 'kms:CallerAccount': !Ref 'AWS::AccountId'
'kms:ViaService': !Sub '${Service}.${AWS::Region}.amazonaws.com'
KeyAlias:
Type: 'AWS::KMS::Alias'
Properties:
AliasName: !Sub 'alias/${AWS::StackName}'
TargetKeyId: !Ref Key
DeletionNotification:
Condition: HasAlertTopic
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- 'aws.kms'
'detail-type':
- 'AWS API Call via CloudTrail'
resources:
- !GetAtt Key.Arn
detail:
eventSource:
- 'kms.amazonaws.com'
'eventName':
- ScheduleKeyDeletion
- DisableKey
State: ENABLED
Targets:
- Arn: {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
Id: rule
Outputs:
TemplateID:
Description: 'cloudonaut.io template id.'
Value: 'security/kms-key'
TemplateVersion:
Description: 'cloudonaut.io template version.'
Value: '__VERSION__'
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
KeyId:
Description: 'Key id.'
Value: !Ref Key
Export:
Name: !Sub '${AWS::StackName}-KeyId'
KeyArn:
Description: 'Key ARN.'
Value: !GetAtt 'Key.Arn'
Export:
Name: !Sub '${AWS::StackName}-KeyArn'
Loading

0 comments on commit 8daf899

Please sign in to comment.