Creating AWS KMS resources with AWS CloudFormation - AWS Key Management Service

Creating AWS KMS resources with AWS CloudFormation

AWS Key Management Service is integrated with AWS CloudFormation, a service that helps you to model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes KMS keys and aliases, and AWS CloudFormation provisions and configures those resources for you. For information about AWS KMS support for CloudFormation, see the KMS resource type reference in the AWS CloudFormation User Guide.

When you use AWS CloudFormation, you can reuse your template to set up your AWS KMS resources consistently and repeatedly. Describe your resources once, and then provision the same resources over and over in multiple AWS accounts and Regions.

To provision and configure resources for AWS KMS and other AWS services, you must understand AWS CloudFormation templates. Templates are formatted text files in JSON or YAML. These templates describe the resources that you want to provision in your AWS CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use AWS CloudFormation Designer to help you get started with AWS CloudFormation templates. For more information, see What is AWS CloudFormation Designer? in the AWS CloudFormation User Guide.

Regions

AWS KMS CloudFormation resources are supported in all Regions in which AWS CloudFormation is supported. However, in the Asia Pacific (Jakarta) Region (ap-southeast-3), you cannot use a CloudFormation template to create or manage asymmetric KMS keys or multi-Region KMS keys (primary or replica).

AWS KMS resources in AWS CloudFormation templates

AWS KMS supports the following AWS CloudFormation resources.

The KMS keys that the template creates are actual resources in your AWS account. Authorized principals can use and manage the KMS keys that the template creates, either by using the template, the AWS KMS console, or the AWS KMS APIs. When you delete a KMS key from your template, the KMS key is scheduled for deletion using a waiting period that you specify in advance.

For example, you can use an AWS CloudFormation template to create a test KMS key with a key policy, key spec, key usage, aliases, and tags you prefer. You can run it through your test suite, review your results, and then use the template to schedule the test key for deletion. Later, you can run the template again to create a test key with the same properties.

Or you can use an AWS CloudFormation template to define a particular KMS key configuration that satisfies your business rules and security standards. Then you can use that template any time you need to create a KMS key. You don't have to worry about misconfigured keys. If your preferred configuration changes, you can use your template to update your KMS keys. For example, the template makes it easy to programmatically enable automatic key rotation on all KMS keys that the template defines.

For more information about AWS KMS resources, including examples, see the KMS resource type reference in the AWS CloudFormation User Guide.

Learn more about AWS CloudFormation

To learn more about AWS CloudFormation, see the following resources: