{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "AliasName": { "Type": "String" }, "OrganisationalUnits": { "Type": "CommaDelimitedList" } }, "Resources": { "AtlassianCmkKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Atlassian CMK key", "EnableKeyRotation": true, "Tags": [ { "Key": "name", "Value": { "Fn::Sub": "${AliasName}" } } ], "KeyPolicy": { "Version": "2012-10-17", "Id": "cmk-key-policy-1", "Statement": [ { "Sid": "EnableRoleDelegation", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } }, "Action": "kms:*", "Resource": "*" }, { "Sid": "AtlassianGrantCreation", "Effect": "Allow", "Principal": "*", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:GrantConstraintType": "EncryptionContextSubset" }, "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": ["o-rab3nm4fez/*/ou-6ypf-7xjy6ark/*"] }, "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/security-resources-byok-key-management" } } }, { "Sid": "AtlassianGrantManagement", "Effect": "Allow", "Principal": "*", "Action": [ "kms:RevokeGrant", "kms:ListGrants", "kms:RetireGrant" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": ["o-rab3nm4fez/*/ou-6ypf-7xjy6ark/*"] }, "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/security-resources-byok-key-management" } } }, { "Sid": "AwsManagedService", "Effect": "Allow", "Principal": "*", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ { "Fn::Sub": "rds.${AWS::Region}.amazonaws.com" }, { "Fn::Sub": "aoss.${AWS::Region}.amazonaws.com" }, { "Fn::Sub": "es.${AWS::Region}.amazonaws.com" } ] }, "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": { "Ref": "OrganisationalUnits" } } } }, { "Sid": "AtlassianDescribeKey", "Effect": "Allow", "Principal": "*", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": ["o-rab3nm4fez/*"] } } }, { "Sid": "AtlassianRdsPerformanceInsightsUsage", "Effect": "Allow", "Principal": "*", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": { "Ref": "OrganisationalUnits" } }, "StringEquals": { "kms:ViaService": [ { "Fn::Sub": "rds.${AWS::Region}.amazonaws.com" } ] } } } ] } } }, "AtlassianCmkKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Sub": "alias/${AliasName}" }, "TargetKeyId": { "Ref": "AtlassianCmkKey" } } } }, "Outputs": { "AtlassianCmkKeyArn": { "Value": { "Fn::GetAtt": [ "AtlassianCmkKey", "Arn" ] } } } }