in lib/s3_bucket_zones_stack.py [0:0]
def create_kms_key(self, deployment_account_id, logical_id_prefix, resource_name_prefix) -> kms.Key:
"""
Creates an AWS KMS Key and attaches a Key policy
@param deployment_account_id: The id for the deployment account
@param logical_id str: The logical id prefix to apply to all CloudFormation resources
@param resource_name_prefix: The resource name prefix to apply to all resource names
"""
s3_kms_key = kms.Key(
self,
f'{self.target_environment}{logical_id_prefix}KmsKey',
admins=[iam.AccountPrincipal(self.account)], # Gives account users admin access to the key
description='Key used for encrypting Data Lake S3 Buckets',
removal_policy=self.removal_policy,
alias=f'{self.target_environment.lower()}-{resource_name_prefix}-kms-key'
)
# Gives account users and deployment account users access to use the key
s3_kms_key.add_to_resource_policy(
iam.PolicyStatement(
principals=[
iam.AccountPrincipal(self.account),
iam.AccountPrincipal(deployment_account_id),
],
actions=[
'kms:Encrypt',
'kms:Decrypt',
'kms:ReEncrypt*',
'kms:GenerateDataKey*',
'kms:DescribeKey',
],
resources=["*"],
)
)
return s3_kms_key