Go to Qiita Advent Calendar 2024 Top
LoginSignup
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@j-yabu

CloudFormationでControlTowerをデプロイする際のKMS設定と暗号化確認手順

Last updated at Posted at 2024-10-27

内容

CloudFormationでControlTowerを有効化する際にはいくつか、先に作って置かなけらばならないリソースがあります。

  1. ControlTowerをデプロイするのに必要になる専用のIAMRole
  2. ControlTower用のKMS(任意)

この今回、ControlTowerのConfigとCloudTrailのデータを暗号化したかったのですが、KMSを作成についての前提条件を忘れていたため、暗号化ができてませんでした。その備忘録として残したいと思います。
また暗号化されているのかを確認していきます。

KMSのコード

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  HomeRegion:
    Type: String
    Description: Contorltower's Home Region
    Default: ap-northeast-1

Resources:
  ControlTowerKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Custom KMS Keys for AWS Control Tower
      Enabled: true
      EnableKeyRotation: false
      KeyPolicy:
        Version: '2012-10-17'
        Id: ControlTowerCustomKMSPolicy
        Statement:
          - Sid: Allow administration of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - 'kms:*'
            Resource: '*'

          - Sid: Allow Config to use KMS for encryption
            Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action:
              - 'kms:Decrypt'
              - 'kms:GenerateDataKey'
            Resource: '*'

          - Sid: Allow CloudTrail to use KMS for encryption
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action:
              - 'kms:GenerateDataKey*'
              - 'kms:Decrypt'
            Resource: '*'
            Condition:
              StringEquals:
                aws:SourceArn: !Sub arn:aws:cloudtrail:${HomeRegion}:${AWS::AccountId}:trail/aws-controltower-BaselineCloudTrail
              StringLike:
                kms:EncryptionContext:aws:cloudtrail:arn: !Sub arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*
Outputs:
  KMSKeyArn:
    Value: !GetAtt ControlTowerKMSKey.Arn
    Export:
      Name: KMSKeyArn

ControlTowerの暗号化を確認してみる

bucketの暗号化の確認

aws s3api get-bucket-encryption --bucket <バケット名>

出力結果

{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "AES256"
                },
                "BucketKeyEnabled": false
            }
        ]
    }
}

オブジェクトの暗号化を確認

aws s3api head-object --bucket <バケット名> --key <オブジェクトのキー>

出力結果

{
    "AcceptRanges": "bytes",
    "Expiration": ,
    "LastModified": "2024-10-24T16:03:10+00:00",
    "ContentLength": ,
    "ETag": ,
    "VersionId": ,
    "ContentEncoding": "gzip",
    "ContentType": "application/json",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": 
}

"ServerSideEncryption": "aws:kms",の部分がKmsとなっているのを確認

まとめ

  • CloudFormationでControlTowerを作成するときには前提にKMSのCloudFormationを作成しなければならない。
2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?