1. Answers
  2. Create and Manage an AWS KMS Key

How do I create an AWS KMS key and manage it?

In this guide, we will walk through how to create an AWS KMS (Key Management Service) key and manage its policies using Pulumi. AWS KMS keys are essential for encrypting and decrypting data securely. We will define a KMS key and attach a key policy to manage permissions.

Key Points:

  • Create an AWS KMS key
  • Define and attach a key policy
  • Enable key rotation for added security
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a new KMS Key
const kmsKey = new aws.kms.Key("myKmsKey", {
    description: "A KMS key for demonstration purposes",
    isEnabled: true,
    enableKeyRotation: true,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Id: "key-default-1",
        Statement: [
            {
                Sid: "Enable IAM User Permissions",
                Effect: "Allow",
                Principal: {
                    AWS: "*"
                },
                Action: "kms:*",
                Resource: "*"
            },
            {
                Sid: "Allow access for Key Administrators",
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::123456789012:role/KeyAdminRole"
                },
                Action: [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                Resource: "*"
            }
        ]
    }),
    tags: {
        "Environment": "Dev",
        "Project": "Pulumi-KMS"
    }
});

// Export the KMS Key ARN
export const kmsKeyArn = kmsKey.arn;

Summary

In this guide, we created an AWS KMS key with Pulumi and managed its policies. We defined a key policy to allow specific IAM roles to manage the key and enabled key rotation for added security. The KMS key ARN is exported for reference in other parts of your infrastructure.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up