AWSConfigRemediation-UpdateXRayKMSKey
Description
The AWSConfigRemediation-UpdateXRayKMSKey
runbook enables encryption
on your AWS X-Ray data using an AWS Key Management Service (AWS KMS) key. This runbook should only be
used as a baseline to ensure that your AWS X-Ray data is encrypted according to
minimum recommended security best practices. We recommend encrypting multiple sets
of data with different KMS keys.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
KeyId
Type: String
Description: (Required) The Amazon Resource Name (ARN), key ID, or the key alias of the KMS key you want AWS X-Ray to use to encrypt data.
Required IAM permissions
The AutomationAssumeRole
parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution
-
ssm:GetAutomationExecution
-
kms:DescribeKey
-
xray:GetEncryptionConfig
-
xray:PutEncryptionConfig
Document Steps
-
aws:executeAwsApi
- Enables encryption on your X-Ray data using the KMS key you specify in theKeyId
parameter. -
aws:waitForAwsResourceProperty
- Waits for the encryption configuration status of your X-Ray to beACTIVE
. -
aws:executeAwsApi
- Gathers the ARN of the key you specify in theKeyId
parameter. -
aws:assertAwsResourceProperty
- Verifies encryption has been enabled on your X-Ray.