KMS keys

KMS is an amazon service for encrypting and decrypting data. Amazon will store a Master key in it’s infrastructure and never let’s you have access to it. You then use the API to send data to it for decryption/encryption.

Access is controlled through the policy on the key directly and through what are called grants.

These keys can be defined under the encryption_keys section of your configuration:

---

encryption_keys:
  project:
    location: 'ap-southeast-2'
    description: Key for my amazing project`
    admin_users:
        - { iam: role/encryption/encryptor }

    grant:
      - grantee: { iam: "role/ci/project-encryptor" }
        operations: [ "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext" ]

      - grantee: { iam: "role/encryption/project-decryptor" }
        operations: [ "Decrypt" ]

Here we’ve defined a key with an alias of project that sits in the ap-southeast-2 region. It has a description and two grants allowing an encryptor role the ability to encrypt and a decryptor role the ability to decrypt.

Available keys

You can use the following keys when defining your key:

location
The region to put the key in
description
The description for the key
grant
A list of grants to apply to the key
permission
A list of policies to add to the key policy
admin_users
A list of iam users to add kms:* permissions for in the key policy

Statements

See the Statements section for what is valid in a grant.