How to use @aws-cdk/aws-kms - 6 common examples
To help you get started, we’ve selected a few @aws-cdk/aws-kms examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
aws / aws-cdk / packages / @aws-cdk / aws-glue / lib / table.ts View on Github 
function createBucket(table: Table, props: TableProps) {
const encryption = props.encryption || TableEncryption.UNENCRYPTED;
let bucket = props.bucket;
if (bucket && (encryption !== TableEncryption.UNENCRYPTED && encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
throw new Error('you can not specify encryption settings if you also provide a bucket');
}
let encryptionKey: kms.IKey | undefined;
if (encryption === TableEncryption.CLIENT_SIDE_KMS && props.encryptionKey === undefined) {
// CSE-KMS should behave the same as SSE-KMS - use the provided key or create one automatically
// Since Bucket only knows about SSE, we repeat the logic for CSE-KMS at the Table level.
encryptionKey = new kms.Key(table, 'Key');
} else {
encryptionKey = props.encryptionKey;
}
// create the bucket if none was provided
if (!bucket) {
if (encryption === TableEncryption.CLIENT_SIDE_KMS) {
bucket = new s3.Bucket(table, 'Bucket');
} else {
bucket = new s3.Bucket(table, 'Bucket', {
encryption: encryptionMappings[encryption],
encryptionKey
});
encryptionKey = bucket.encryptionKey;
}
}} {
// default to unencrypted.
const encryptionType = props.encryption || StreamEncryption.UNENCRYPTED;
// if encryption key is set, encryption must be set to KMS.
if (encryptionType !== StreamEncryption.KMS && props.encryptionKey) {
throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS (value: ${encryptionType})`);
}
if (encryptionType === StreamEncryption.UNENCRYPTED) {
return { streamEncryption: undefined, encryptionKey: undefined };
}
if (encryptionType === StreamEncryption.KMS) {
const encryptionKey = props.encryptionKey || new kms.Key(this, 'Key', {
description: `Created by ${this.node.path}`
});
const streamEncryption: CfnStream.StreamEncryptionProperty = {
encryptionType: 'KMS',
keyId: encryptionKey.keyArn
};
return { encryptionKey, streamEncryption };
}
throw new Error(`Unexpected 'encryptionType': ${encryptionType}`);
}
}import * as kms from '@aws-cdk/aws-kms';
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
const REQUIRED_ALIAS_PREFIX = 'alias/';
/**
* A class needed to work around CodePipeline's extremely small (100 characters)
* limit for the name/ARN of the key in the ArtifactStore.
* Limits the length of the alias' auto-generated name to 50 characters.
*/
class AliasWithShorterGeneratedName extends kms.Alias {
protected generatePhysicalName(): string {
let baseName = super.generatePhysicalName();
if (baseName.startsWith(REQUIRED_ALIAS_PREFIX)) {
// remove the prefix, because we're taking the last characters of the name below
baseName = baseName.substring(REQUIRED_ALIAS_PREFIX.length);
}
const maxLength = 50 - REQUIRED_ALIAS_PREFIX.length;
// take the last characters, as they include the hash,
// and so have a higher chance of not colliding
return REQUIRED_ALIAS_PREFIX + lastNCharacters(baseName, maxLength);
}
}
function lastNCharacters(str: string, n: number) {
const startIndex = Math.max(str.length - n, 0);
return str.substring(startIndex);const result = iam.Grant.addToPrincipal({
grantee,
actions: ['secretsmanager:GetSecretValue'],
resourceArns: [this.secretArn],
scope: this
});
if (versionStages != null && result.principalStatement) {
result.principalStatement.addCondition('ForAnyValue:StringEquals', {
'secretsmanager:VersionStage': versionStages
});
}
if (this.encryptionKey) {
// @see https://docs.aws.amazon.com/fr_fr/kms/latest/developerguide/services-secrets-manager.html
this.encryptionKey.grantDecrypt(
new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, grantee.grantPrincipal)
);
}
return result;
}constructor(scope: cdk.Construct, id: string) {
super(scope, id);
const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
const encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
targetKey: encryptionKey,
aliasName: cdk.PhysicalName.GENERATE_IF_NEEDED,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
this.replicationBucket = new s3.Bucket(this, 'CrossRegionCodePipelineReplicationBucket', {
bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
encryptionKey: encryptionAlias,
});
}
}if (encryption === QueueEncryption.UNENCRYPTED) {
return { encryptionProps: {} };
}
if (encryption === QueueEncryption.KMS_MANAGED) {
return {
encryptionProps: {
kmsMasterKeyId: 'alias/aws/sqs',
kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
}
};
}
if (encryption === QueueEncryption.KMS) {
const masterKey = props.encryptionMasterKey || new kms.Key(this, 'Key', {
description: `Created by ${this.node.path}`
});
return {
encryptionMasterKey: masterKey,
encryptionProps: {
kmsMasterKeyId: masterKey.keyArn,
kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
}
};
}
throw new Error(`Unexpected 'encryptionType': ${encryption}`);
}
}@aws-cdk/aws-kms
The CDK Construct Library for AWS::KMS
