Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization #204
Description
Following on from my comment in #178 (comment), this enhancement request centres on provisioning a single CMK KMS key per region, shared to an AWS Organization to remediate findings with.
For obvious reasons, this type of deployment would only be applicable where the sharr solution was deployed in an AWS Organization, but it would greatly reduce the costs of running the solution (in my case about 90% of the costs would be saved by deploying in this manner).
I have implemented a version of the solution locally that creates shared keys.
Changes Made
- A
DEPLOY_TO_AWS_ORGenvironment variable was added to theSolutionDeployStackwhich, if set via the -o switch in thebuild-s3-dist.shscript will generate a version of the sharr solution that uses KMS kets shared to the Organization. - The
MemberStackwas changed to take an optionalsharedKeyAccountparameter along with a boolean property (deployToOrg) denoting whether the solution is to be deployed to an Org. If true, then theMemberRemediationKeyconstruct just looks up the key from its alias ARN; if false, the key is created by theMemberRemediationKeyconstruct. The key ARN, whether shared or not still gets stored in an SSM parameter in each member account. - A new
OrganizationSharedKeyStackwas created that takes anOrganizationIdParamparameter and creates a key (using the same key creation method as theMemberRemediationKeyconstruct). - The
SolutionDeployStackwas modified to create theOrganizationSharedKeyStackand add tagging (Solution tagging #202)