Storing Encryption Keys for AI-generated Data

Question

Pulumi · Accepted Answer

Storing encryption keys for AI-generated data is a critical security practice to ensure that sensitive information remains protected. To accomplish this using infrastructure as code, we can use Pulumi to provision resources on a cloud provider that specialize in key management and encryption services.

We'll be creating a program using Pulumi in Python that stores encryption keys using AWS Key Management Service (KMS). AWS KMS allows you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.

Here is an overview of the resources we'll create and manage:

1. **AWS KMS Key**: This is a managed service that enables you to create and control encryption keys used to encrypt your data.

2. **AWS KMS Alias**: An alias for the KMS key which makes it easier to manage and use the key.

3. **AWS IAM Role**: A role that can be assumed by an entity (such as a person, AWS service, or an application) and that defines a set of permissions for making AWS service requests.

4. **AWS IAM Policy**: A policy that defines permissions and will be attached to the IAM Role. This policy will explicitly allow the associated entity to use the KMS key for cryptographic operations.

For context, here's what each section will do:

- **KMS Key**: Provision a new KMS key intended for encrypting AI-generated data.
- **KMS Alias**: Create an alias for our KMS key to reference it more easily.
- **IAM Role**: Provide an identity with specific permissions that our AI services and applications can assume when they need to interact with AWS services.
- **IAM Policy**: Define the actions allowed or denied by AWS entities (like our AI services) associated with the IAM Role.

Let's create our Pulumi program:

```python
import pulumi
import pulumi_aws as aws

# Create a KMS Key for encrypting AI-generated data.
ai_data_kms_key = aws.kms.Key("aiDataKmsKey",
                               description="KMS key for AI-generated data encryption",
                               is_enabled=True)

# Create a KMS Alias for the KMS Key.
# Aliases allow you to use a friendly name to refer to keys.
ai_data_kms_key_alias = aws.kms.Alias("aiDataKmsKeyAlias",
                                      target_key_id=ai_data_kms_key.id,
                                      name="alias/aiDataKey")

# Create an IAM Role that the AI service will assume.
ai_service_role = aws.iam.Role("aiServiceRole",
                               assume_role_policy="""{
                                 "Version": "2012-10-17",
                                 "Statement": [{
                                   "Action": "sts:AssumeRole",
                                   "Effect": "Allow",
                                   "Principal": {
                                     "Service": "ec2.amazonaws.com"
                                   }
                                 }]
                               }""")

# Create an IAM Policy that grants permissions to use the KMS key.
ai_service_kms_policy = aws.iam.RolePolicy("aiServiceKmsPolicy",
                                           role=ai_service_role.id,
                                           policy=pulumi.Output.all(ai_data_kms_key.id).apply(lambda kms_key_id: f"""{{
                                             "Version": "2012-10-17",
                                             "Statement": [{
                                               "Effect": "Allow",
                                               "Action": [
                                                 "kms:Encrypt",
                                                 "kms:Decrypt",
                                                 "kms:ReEncrypt*",
                                                 "kms:GenerateDataKey*",
                                                 "kms:DescribeKey"
                                               ],
                                               "Resource": "{kms_key_id}"
                                             }]
                                           }}"""))

# Export the key id and the alias of the KMS Key
pulumi.export("key_id", ai_data_kms_key.id)
pulumi.export("key_alias", ai_data_kms_key_alias.name)
pulumi.export("role_arn", ai_service_role.arn)
```

In this program, we begin by importing the required Pulumi AWS module.

- We then define an AWS KMS key specific to our AI data with a descriptive `description` to distinguish its purpose.
- We create a KMS alias which is more memorable and user-friendly than the key ID.
- We establish an IAM role with a trust policy that allows AWS services (in this case, EC2) to assume the role.
- We attach a policy to our role which grants permissions to use the KMS key for encryption and decryption. This is achieved by creating an inline policy and using string interpolation with the KMS key ID dynamically inserted.
- At the end of the program, we use `pulumi.export` to output the KMS key ID, the alias, and the ARN of the IAM role so that they can be referenced outside of Pulumi as needed, for example in service configurations or CI/CD pipelines.

This Pulumi program sets up the encryption key infrastructure where an AI service hosted on AWS EC2 can securely access and use the encryption key to handle sensitive AI-generated data.