aws-samples
diff --git a/‎infrastructure/CMK/README.md
Lines changed: 97 additions & 0 deletions b/‎infrastructure/CMK/README.md
Lines changed: 97 additions & 0 deletions
diff --git a/‎infrastructure/CMK/images/actors.png
236 KB b/‎infrastructure/CMK/images/actors.png
236 KB
diff --git a/‎infrastructure/CMK/images/dependencies.png
123 KB b/‎infrastructure/CMK/images/dependencies.png
123 KB
diff --git a/‎infrastructure/CMK/kms-key-administrator-policy.yaml
Lines changed: 132 additions & 0 deletions b/‎infrastructure/CMK/kms-key-administrator-policy.yaml
Lines changed: 132 additions & 0 deletions
diff --git a/‎infrastructure/CMK/msf-base-operator-iam-policy.yaml
Lines changed: 75 additions & 0 deletions b/‎infrastructure/CMK/msf-base-operator-iam-policy.yaml
Lines changed: 75 additions & 0 deletions
@@ -0,0 +1,97 @@
+## Customer Managed Key (CMK) support
+
+This folder contains CloudFormation templates to help create the IAM Policies and KMS Keys to enable CMK in an 
+Amazon Managed Service for Apache Flink application.
+
+**Important**: Setting up CMK following the Principle of Least Privilege requires setting up at least two IAM Users or Roles 
+and executing a number of steps, [described below](#setting-up-cmk-on-an-application), in order and with different users. 
+This process cannot be automated using a simple CFN template. 
+The provided CFN templates help create the required IAM Policies and KMS Key with the correct policy. The full process 
+requires additional steps which can be done manually, using the AWS CLI/API, the Console, or any automation tool.
+
+
+For further information, see the service documentation: [Key Management in Amazon Managed Service for Apache Flink](https://docs.aws.amazon.com/managed-flink/latest/java/key-management-flink.html).
+
+### Background
+
+#### Actors
+
+To use CMK following the Principle of Least Privilege implies multiple and separate actors:
+
+1. The KMS **Customer Managed Key** (CMK), which comprises a Key Policy and the actual Key Material used for encryption.
+2. A **Key Administrator** IAM Role or User, who creates and manages the CMK.
+3. An **Operator** IAM Role or User, who uses the Managed Flink API (`kinesisanalyticsv2`) to control the lifecycle of the application, including configuring it and enabling CMK. 
+4. The Managed Flink **Application** itself, which has an IAM Service Role attached to control the permissions of the application. 
+
+![Actors](images/actors.png)
+
+#### Dependencies between components
+
+Some of these components refer to other components, causing dependencies:
+
+* The *Operator* IAM Policy contains a reference to the *Application* and the *CMK* ARNs.
+* The *CMK Key Policy* contains a reference to the *Operator* User or Role, the *Key Administrator* User or Role, and the *Application* ARN.
+
+![Dependencies](images/dependencies.png)
+
+Because of these dependencies, setting up CMK for an application must be done in a precise order, as described in the following section.
+
+
+### Setting up CMK on an application
+
+1. Create the *Operator's Base IAM Policy* using the [msf-base-operator-iam-policy.yaml](./msf-base-operator-iam-policy.yaml) CFN template. 
+2. Attach the Base Policy to the Operator's User or Role.
+3. If the application doesn't exist yet, use the Operator's credentials to create an application _without_ CMK.
+4. Create the *Key Administrator's IAM Policy* using [kms-key-administrator-policy.yaml](./kms-key-administrator-policy.yaml) (see Note 3 below). 
+5. Attach the Policy to the IAM User/Role you are going to use to manage the CMK key. 
+6. Use the Key Administrator's credentials to create the CMK, using [msf-kms-key.yaml](./msf-kms-key.yaml). The template will ask you to provide the application name, the Operator's Role/User, and the Key Administrator's Role/User ARNs.
+7. Create the *Operator's CMK IAM Policy* using [msf-cmk-operator-iam-policy.yaml](./msf-cmk-operator-iam-policy.yaml). 
+8. Attach the new policy to the Operator's User/Role without removing the Base policy. The template will ask you to provide the application name and the CMK ID.
+9. Use the Operator's credentials to update the application, enabling CMK with the key you created in step 6.
+
+#### ⚠️ Important notes
+
+Note 1: No CFN template is provided for steps 2, 3, 5, 7, and 9. These steps depend on your setup and whether you are using IAM Users or Roles as Operator and Key Administrator. You can use the AWS CLI, the Console, or any automation tool for these steps. Refer to the *Using Customer Managed Key in Amazon Managed Service for Apache Flink* service documentation page for setting CMK on an existing application.
+
+Note 2: The *Operator's Base IAM Policy* defined by [msf-base-operator-iam-policy.yaml](./msf-base-operator-iam-policy.yaml) gives the Operator broad permissions to control any application in the account and attach any service role to the application. You can restrict this policy with further conditions as required.
+
+Note 3: The CFN template [msf-kms-key.yaml](./msf-kms-key.yaml) which creates the CMK must be run using the Key Administrator role/user. This user must have at minimum the permissions defined by the Key Administrator IAM Policy created using the [kms-key-administrator-policy.yaml](./kms-key-administrator-policy.yaml) CFN template. It must also have any permissions required to create the stack, for example to upload the template to S3 if you are creating the stack from the console.
+
+### Testing CMK
+
+Setting up CMK following the Principle of Least Privilege, as described above, makes it difficult to simply test CMK where more lenient security policies can be applied, such as in non-production environments. 
+If you want to use CMK with a single user having broad permissions acting both as *Operator* and *Key Administrator*, you can apply the following Key Policy when you create the CMK Key.
+
+
+```JSON
+{
+    "Version": "2012-10-17",
+    "Id": "key-policy-permissive",
+    "Statement": [
+        {
+            "Sid": "Allow any KMS action to Admin",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::<account-id>:role/Admin"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow any KMS action to Managed Flink",
+            "Effect": "Allow",
+            "Principal": { 
+                "Service": [
+                  "kinesisanalytics.amazonaws.com",
+                  "infrastructure.kinesisanalytics.amazonaws.com"
+                ]
+            },
+            "Action":[ "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:CreateGrant" ],
+            "Resource": "*"
+        }
+    ]
+} 
+
+```
+
+⚠️ This key policy should not be used in production environments or environments containing sensitive data. 
@@ -0,0 +1,132 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'IAM Policy for KMS Key Administrator with permissions to create, manage, tag, and rotate KMS keys'
+
+Parameters:
+  PolicyName:
+    Type: String
+    Description: 'Name for the IAM Policy'
+    Default: 'MsfCmkKeyAdministratorPolicy'
+    AllowedPattern: '^[a-zA-Z0-9+=,.@_-]+$'
+    ConstraintDescription: 'Must be a valid IAM policy name'
+    
+  PolicyDescription:
+    Type: String
+    Description: 'Description for the IAM Policy'
+    Default: 'Policy for KMS Key Administrator to create, manage, tag, and rotate CMK KMS keys'
+    MaxLength: 1000
+
+Resources:
+  KMSKeyAdministratorPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Ref PolicyName
+      Description: !Ref PolicyDescription
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowCreateKMSKey
+            Effect: Allow
+            Action:
+              - 'kms:CreateKey'
+            Resource: '*'
+            
+          - Sid: AllowListKeysAndAliases
+            Effect: Allow
+            Action:
+              - 'kms:ListKeys'
+              - 'kms:ListAliases'
+            Resource: '*'
+            
+          - Sid: AllowManageKeysInCurrentRegionAndAccount
+            Effect: Allow
+            Action:
+              - 'kms:DescribeKey'
+              - 'kms:GetKeyPolicy'
+              - 'kms:PutKeyPolicy'
+              - 'kms:ListKeyPolicies'
+              - 'kms:EnableKey'
+              - 'kms:DisableKey'
+              - 'kms:CancelKeyDeletion'
+              - 'kms:ScheduleKeyDeletion'
+              - 'kms:UpdateKeyDescription'
+            Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+            
+          - Sid: AllowManageKeyAliasesInCurrentRegionAndAccount
+            Effect: Allow
+            Action:
+              - 'kms:CreateAlias'
+              - 'kms:DeleteAlias'
+              - 'kms:UpdateAlias'
+            Resource: 
+              - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+              - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*'
+            
+          - Sid: AllowTagKMSKeysInCurrentRegionAndAccount
+            Effect: Allow
+            Action:
+              - 'kms:TagResource'
+              - 'kms:UntagResource'
+              - 'kms:ListResourceTags'
+            Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+            
+          - Sid: AllowRotateKMSKeysInCurrentRegionAndAccount
+            Effect: Allow
+            Action:
+              - 'kms:GetKeyRotationStatus'
+              - 'kms:RotateKeyOnDemand'
+              - 'kms:ListKeyRotations'
+            Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+            
+          - Sid: AllowKeyUsageForTestingInCurrentRegionAndAccount
+            Effect: Allow
+            Action:
+              - 'kms:Encrypt'
+              - 'kms:Decrypt'
+              - 'kms:ReEncrypt*'
+              - 'kms:GenerateDataKey*'
+              - 'kms:CreateGrant'
+              - 'kms:ListGrants'
+              - 'kms:RevokeGrant'
+            Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+            Condition:
+              StringEquals:
+                'kms:ViaService': !Sub 'kinesisanalytics.${AWS::Region}.amazonaws.com'
+
+Outputs:
+  PolicyArn:
+    Description: 'ARN of the created KMS Key Administrator IAM Policy'
+    Value: !Ref KMSKeyAdministratorPolicy
+    Export:
+      Name: !Sub '${AWS::StackName}-PolicyArn'
+      
+  PolicyName:
+    Description: 'Name of the created KMS Key Administrator IAM Policy'
+    Value: !Ref PolicyName
+    Export:
+      Name: !Sub '${AWS::StackName}-PolicyName'
+      
+  AccountId:
+    Description: 'AWS Account ID where the policy was created'
+    Value: !Ref 'AWS::AccountId'
+    Export:
+      Name: !Sub '${AWS::StackName}-AccountId'
+      
+  Region:
+    Description: 'AWS Region where the policy was created'
+    Value: !Ref 'AWS::Region'
+    Export:
+      Name: !Sub '${AWS::StackName}-Region'
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "IAM Policy Configuration"
+        Parameters:
+          - PolicyName
+          - PolicyDescription
+    ParameterLabels:
+      PolicyName:
+        default: "IAM Policy Name"
+      PolicyDescription:
+        default: "Policy Description"
@@ -0,0 +1,75 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Base IAM Policy for Managed Service for Apache Flink Operator with core MSF permissions'
+
+Parameters:
+  PolicyName:
+    Type: String
+    Description: 'Name for the IAM Policy'
+    Default: 'MsfBaseApplicationOperator'
+    AllowedPattern: '^[a-zA-Z0-9+=,.@_-]+$'
+    ConstraintDescription: 'Must be a valid IAM policy name'
+    
+  PolicyDescription:
+    Type: String
+    Description: 'Description for the IAM Policy'
+    Default: 'Base IAM policy for Managed Flink Application Operator allowing application lifecycle operations'
+    MaxLength: 1000
+
+Resources:
+  MSFBaseOperatorPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Ref PolicyName
+      Description: !Ref PolicyDescription
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowMsfApiCalls
+            Effect: Allow
+            Action: 'kinesisanalytics:*'
+            Resource: '*'
+            
+          - Sid: AllowPassingServiceExecutionRole
+            Effect: Allow
+            Action:
+              - 'iam:PassRole'
+            Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
+
+Outputs:
+  PolicyArn:
+    Description: 'ARN of the created Base MSF Operator IAM Policy'
+    Value: !Ref MSFBaseOperatorPolicy
+    Export:
+      Name: !Sub '${AWS::StackName}-PolicyArn'
+      
+  PolicyName:
+    Description: 'Name of the created Base MSF Operator IAM Policy'
+    Value: !Ref PolicyName
+    Export:
+      Name: !Sub '${AWS::StackName}-PolicyName'
+      
+  AccountId:
+    Description: 'AWS Account ID where the policy was created'
+    Value: !Ref 'AWS::AccountId'
+    Export:
+      Name: !Sub '${AWS::StackName}-AccountId'
+      
+  Region:
+    Description: 'AWS Region where the policy was created'
+    Value: !Ref 'AWS::Region'
+    Export:
+      Name: !Sub '${AWS::StackName}-Region'
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "IAM Policy Configuration"
+        Parameters:
+          - PolicyName
+          - PolicyDescription
+    ParameterLabels:
+      PolicyName:
+        default: "IAM Policy Name"
+      PolicyDescription:
+        default: "Policy Description"