in rds/CDK/unencrypted_to_encrypted_rds/unencrypted_to_encrypted_rds_stack.py [0:0]
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
"""
kms_key_id_param = core.CfnParameter(
self,
"kmskeyid",
type="String",
description="The KMS key id used to encrypt",
)
kms_key_id_value = kms_key_id_param.value_as_string
"""
# user guide example with assumerolepolicydocument
# https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-cf.html
# cloudformation example https://docs.aws.amazon.com/systems-manager/latest/userguide/samples/AWS-SystemsManager-AutomationServiceRole.zip
automation_role = iam.Role(
self,
"EncryptRDSAutomationRole",
# role_name="EncryptRDSAutomationRole",
assumed_by=iam.CompositePrincipal(
iam.ServicePrincipal("ssm.amazonaws.com"),
iam.ServicePrincipal("rds.amazonaws.com"),
),
)
automation_role.grant_pass_role(automation_role)
rds_key = aws_kms.Key(
self,
"rds-encryption-key",
alias="alias/RDSEncryptionAtRestKMSAlias",
enable_key_rotation=True,
)
# Setup Role Permissions
automation_role_policy = iam.ManagedPolicy(
self,
f"EncryptRDSAutomationRole-policy",
description="Permissions for the RDS encrypt unencrypted",
path="/",
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"rds:AddTagsToResource",
"ssm:GetAutomationExecution",
],
resources=["*"],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["kms:CreateGrant", "kms:DescribeKey"],
resources=[
f"arn:aws:kms:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:key/{rds_key.key_id}"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CreateDBClusterSnapshot",
"rds:DeleteDBClusterSnapshot",
"rds:DescribeDBClusterSnapshots",
"rds:RestoreDBClusterFromSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:cluster-snapshot:*"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CreateDBClusterSnapshot",
"rds:DescribeDBClusters",
"rds:RestoreDBClusterFromSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:cluster:*"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CreateDBInstance",
"rds:CreateDBSnapshot",
"rds:DescribeDBInstances",
"rds:RestoreDBInstanceFromDBSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:db:*",
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:cluster:*",
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CreateDBInstance",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:og:*"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["rds:CreateDBInstance"],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:secgrp:*",
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:pg:*",
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CopyDBSnapshot",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:DescribeDBSnapshots",
"rds:RestoreDBInstanceFromDBSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:snapshot:*"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"rds:CreateDBInstance",
"rds:RestoreDBInstanceFromDBSnapshot",
],
resources=[
f"arn:aws:rds:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:subgrp:*"
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["ssm:StartAutomationExecution"],
resources=[
# f"arn:aws:ssm:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:automation-definition/*:*",
"*",
],
),
],
)
automation_role.add_managed_policy(automation_role_policy)
encrypt_rds_json = "aws-encrypt-rds.json"
encrypt_rds_cluster_json = "aws-encrypt-rds-cluster.json"
encrypt_rds_instance_json = "aws-encrypt-rds-instance.json"
with open(encrypt_rds_json, "r") as file_encrypt_rds_json, open(
encrypt_rds_instance_json, "r"
) as file_encrypt_rds_instance_json, open(
encrypt_rds_cluster_json, "r"
) as file_encrypt_rds_cluster_json:
encrypt_rds_content = json.load(file_encrypt_rds_json)
encrypt_rds_instance_content = json.load(file_encrypt_rds_instance_json)
encrypt_rds_cluster_content = json.load(file_encrypt_rds_cluster_json)
encrypt_rds_cluster_ssmdoc = aws_ssm.CfnDocument(
self,
"ENCRYPT-unencryptedrdscluster",
content=encrypt_rds_cluster_content,
document_type="Automation",
)
encrypt_rds_instance_ssmdoc = aws_ssm.CfnDocument(
self,
"ENCRYPT-unencryptedrdsinstance",
content=encrypt_rds_instance_content,
document_type="Automation",
)
encrypt_rds_ssmdoc = aws_ssm.CfnDocument(
self,
"ENCRYPT-unencryptedrds",
content=encrypt_rds_content,
document_type="Automation",
)
rds_storage_encrypted_config_rule_name = (
"rds-storage-encrypted-with-remediation"
)
aws_config.ManagedRule(
self,
rds_storage_encrypted_config_rule_name,
config_rule_name=rds_storage_encrypted_config_rule_name,
identifier="RDS_STORAGE_ENCRYPTED",
description="Checks whether storage encryption is enabled for your RDS DB instances.",
)
configremediation = aws_config.CfnRemediationConfiguration(
self,
"EncryptRDSConfigRemediation",
config_rule_name=rds_storage_encrypted_config_rule_name,
target_id=encrypt_rds_ssmdoc.ref,
target_type="SSM_DOCUMENT",
automatic=False,
parameters={
"instanceAutomationDocument": {
"StaticValue": {"Values": [encrypt_rds_instance_ssmdoc.ref]},
},
"clusterAutomationDocument": {
"StaticValue": {"Values": [encrypt_rds_cluster_ssmdoc.ref]},
},
"automationAssumeRole": {
"StaticValue": {"Values": [automation_role.role_arn]}
},
"kmsKeyId": {"StaticValue": {"Values": [rds_key.key_id]}},
"resourceId": {"ResourceValue": {"Value": "RESOURCE_ID"}},
},
resource_type="AWS::RDS::DBInstance",
target_version="1",
)