Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization #204

Closed
julian-price opened this issue Oct 10, 2024 · 2 comments
Closed

Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization #204

julian-price opened this issue Oct 10, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@julian-price
Copy link

julian-price commented Oct 10, 2024
edited
Loading

Following on from my comment in #178 (comment), this enhancement request centres on provisioning a single CMK KMS key per region, shared to an AWS Organization to remediate findings with.
For obvious reasons, this type of deployment would only be applicable where the sharr solution was deployed in an AWS Organization, but it would greatly reduce the costs of running the solution (in my case about 90% of the costs would be saved by deploying in this manner).

I have implemented a version of the solution locally that creates shared keys.

Changes Made

  1. A DEPLOY_TO_AWS_ORG environment variable was added to the SolutionDeployStack which, if set via the -o switch in the build-s3-dist.sh script will generate a version of the sharr solution that uses KMS kets shared to the Organization.
  2. The MemberStack was changed to take an optional sharedKeyAccount parameter along with a boolean property (deployToOrg) denoting whether the solution is to be deployed to an Org. If true, then the MemberRemediationKey construct just looks up the key from its alias ARN; if false, the key is created by the MemberRemediationKey construct. The key ARN, whether shared or not still gets stored in an SSM parameter in each member account.
  3. A new OrganizationSharedKeyStack was created that takes an OrganizationIdParam parameter and creates a key (using the same key creation method as the MemberRemediationKey construct).
  4. The SolutionDeployStack was modified to create the OrganizationSharedKeyStack and add tagging (Solution tagging #202)
@julian-price julian-price changed the title Deploy single (pre-region) CMK KMS keys and share to all accounts in the AWS Organization Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization Oct 10, 2024
@julian-price
Copy link
Author

julian-price commented Oct 10, 2024
edited
Loading

I have attached an archive of the code changes - archive.zip.

The code has purposefully been written as additive; that is to say, it will generate the Org shared keys only if an environment variable is set at build time, but by default the solution will not be changed from the original.

@jrgaray27
Copy link
Member

Hello,
Appreciate the suggestion! We will take a deeper look into this to determine how/if this will be included in upcoming releases.

Thanks!

This was referenced Oct 16, 2024
Open
Closed
@dadmukta dadmukta added the question Further information is requested label Oct 30, 2024
@jrgaray27 jrgaray27 added enhancement New feature or request and removed question Further information is requested labels Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dadmukta @julian-price @jrgaray27