CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

kms.mddocs/security/

KMS - Key Management Service

AWS KMS creates and controls cryptographic keys for encrypting data.

Common Tasks

Create encryption key with automatic rotation

const key = new aws.kms.Key("app-key", {
    description: "Application encryption key",
    enableKeyRotation: true,
    deletionWindowInDays: 10,
});

Create key alias for easy reference

new aws.kms.Alias("app-key-alias", {
    name: "alias/app-key",
    targetKeyId: key.id,
});

Create key with custom policy for cross-account access

const key = new aws.kms.Key("shared-key", {
    description: "Shared encryption key",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Sid: "Enable IAM User Permissions",
            Effect: "Allow",
            Principal: { AWS: "arn:aws:iam::123456789012:root" },
            Action: "kms:*",
            Resource: "*",
        }],
    }),
});

Core Resources

Key

KMS encryption keys.

class Key extends pulumi.CustomResource {
    constructor(name: string, args?: KeyArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly keyId: pulumi.Output<string>;
}

interface KeyArgs {
    description?: pulumi.Input<string>;
    keyUsage?: pulumi.Input<"ENCRYPT_DECRYPT" | "SIGN_VERIFY">;
    customerMasterKeySpec?: pulumi.Input<string>;
    policy?: pulumi.Input<string>;
    deletionWindowInDays?: pulumi.Input<number>;
    isEnabled?: pulumi.Input<boolean>;
    enableKeyRotation?: pulumi.Input<boolean>;
    multiRegion?: pulumi.Input<boolean>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example: Create encryption key with rotation

const key = new aws.kms.Key("app-key", {
    description: "Application encryption key",
    deletionWindowInDays: 10,
    enableKeyRotation: true,
    tags: {
        Environment: "production",
        Purpose: "data-encryption",
    },
});

Alias

Key aliases for easier key reference.

class Alias extends pulumi.CustomResource {
    constructor(name: string, args: AliasArgs, opts?: pulumi.CustomResourceOptions);
}

interface AliasArgs {
    name?: pulumi.Input<string>;
    targetKeyId: pulumi.Input<string>;
}

Example: Create alias for key

new aws.kms.Alias("app-key-alias", {
    name: "alias/app-key",
    targetKeyId: key.id,
});

Usage Example

const key = new aws.kms.Key("app-key", {
    description: "Application encryption key",
    deletionWindowInDays: 10,
    enableKeyRotation: true,
});

new aws.kms.Alias("app-key-alias", {
    name: "alias/app-key",
    targetKeyId: key.id,
});

export const keyArn = key.arn;

Related Services

  • S3 - Server-side encryption for S3 buckets
  • EBS - Volume encryption for EC2 instances
  • RDS - Database encryption at rest
  • Secrets Manager - Encrypt secrets with KMS keys
  • Lambda - Encrypt environment variables

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

security

acm.md

cognito.md

guardduty.md

iam.md

kms.md

overview.md

secretsmanager.md

securityhub.md

waf.md

index.md

quickstart.md

README.md

tile.json