Merge pull request #372 from mbloch1986/feature-370/support_cmk

Add support for CMK
shinesolutions · Feb 8, 2020 · 43bb50e · 43bb50e
2 parents 238bc89 + 51d5299
commit 43bb50e
Show file tree

Hide file tree

Showing 36 changed files with 2,479 additions and 121 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- Add new configuration parameter `aws.encryption.ebs_volume.enable` to enable EBS Volume encryption#370
+- Add feature to encrypt EBS Volues with CMK #370
+- Add feature to attach manage policy to EC2 instance role for accessing CMK for **permission-type b**  #370
+- Add feature to grant access to to EC2 instance role for accesing the CMK if no manage policy provided for **permission-type b**  #370
+- Add feature to define CMK for SSE DynamoDB Table encryption #370
+- Add feature to define CMK for encrypting Lambda functions environment variables #370
+- Add feature to define CMK for SSE S3 Buckets encryption #370
+- Add feature to define CMK for SSE SNS Topic & SNS Queue encryption #370
+- Add Monitoring Stack to AEM Full-Set permission type c
+
+### Changed
+- Configuration parameters `[aem_component].enable_vol_encryption` are now deprecated and replaced with `aws.encryption.ebs_volume.enable` #371
 
 ## 4.32.0 - 2020-02-05
 ### Changed

diff --git a/conf/ansible/inventory/group_vars/all.yaml b/conf/ansible/inventory/group_vars/all.yaml
@@ -10,6 +10,26 @@ aws:
     log_subscription_arn: overwrite-me
     enable_cloudwatch_cleanup: false
 
+  encryption:
+    ebs_volume:
+      enable: true
+      kms_key_id: overwrite-me
+      managed_policy_arn: overwrite-me
+    dynamo_db:
+      # DynamoDB is always encrypted per default
+      kms_key_id: overwrite-me
+      managed_policy_arn: overwrite-me
+    lambda:
+      # Lambda functions environment variables are encrypted per default
+      kms_key_arn: overwrite-me
+      managed_policy_arn: overwrite-me
+    s3:
+      # S3 Buckets are always encrypted per default with AES256
+      kms_key_id: overwrite-me
+      managed_policy_arn: overwrite-me
+    sns:
+      kms_key_id: overwrite-me
+      managed_policy_arn: overwrite-me
 proxy:
   enabled: false
   protocol:

diff --git a/conf/ansible/inventory/group_vars/apps.yaml b/conf/ansible/inventory/group_vars/apps.yaml
@@ -264,7 +264,7 @@ publish_dispatcher:
   instance_type: t2.small
   root_vol_size: 20
   data_vol_size: 20
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   enable_random_termination: true
   elb_health_check: HTTPS:443/system/health?tags=shallow
   elb_scheme: internet-facing
@@ -285,7 +285,7 @@ publish:
   instance_type: m3.large
   root_vol_size: 20
   data_vol_size: 75
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   enable_random_termination: true
   asg_min_size: 2
   asg_desired_capacity: 2
@@ -298,15 +298,15 @@ author:
   instance_type: m3.large
   root_vol_size: 20
   data_vol_size: 75
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   elb_health_check: HTTPS:5432/system/health?tags=shallow
 
 author_dispatcher:
   instance_profile: overwrite-me
   instance_type: t2.small
   root_vol_size: 20
   data_vol_size: 20
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   enable_random_termination: true
   elb_health_check: HTTPS:443/system/health?tags=shallow
   asg_min_size: 2
@@ -320,23 +320,23 @@ author_publish_dispatcher:
   instance_type: m4.xlarge
   root_vol_size: 20
   data_vol_size: 20
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   associate_public_ip_address: true
 
 orchestrator:
   instance_profile: overwrite-me
   instance_type: t2.small
   root_vol_size: 20
   data_vol_size: 20
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   enable_random_termination: true
 
 chaos_monkey:
   instance_profile: overwrite-me
   instance_type: t2.small
   root_vol_size: 20
   include_stack: true
-  enable_vol_encryption: true
+  enable_vol_encryption: "{{ aws.encryption.ebs_volume.enable }}"
   enable_random_termination: true
   termination_settings:
     calendar_open_hour: '9'