AWS CloudFormation Custom Resource to encrypt strings using AWS KMS.
At the moment of this writing, there's no way to create a AWS::SSM::Parameter with a "SecureString" type (doc). This is just a workaround that limitation, use it at your own risk.
Wishful thinking, having a CloudFormation intrinsic function for this (Fn::EncryptString).
- KeyId: KMS Key Id
- String: String to be encrypted using KMS
- EncryptedString: Base64 encoded CiphertextBlob
- You'll have to declare a custom resource per encrypted string
EncryptedServicePassword:
Type: Custom::StringEncryption
Properties:
ServiceToken: !GetAtt LambdaEncryptionHelper.Arn
KeyId: !Ref KMSHelperKey
String: !Ref ExampleParameter
ServicePasswordEncryptedSSMParameter:
Type: 'AWS::SSM::Parameter'
Properties:
Description: Service Password Encrypted SSM Parameter
Type: String
Value: !GetAtt EncryptedServicePassword.EncryptedString- Include the following resources from the supplied template(custom-resource-encrypt.yaml) in your CloudFormation template
- LambdaEncryptionHelper
- LambdaEncryptionHelperRole
- KMSHelperKey
- Declare a custom resource with the following properties:
- ServiceToken: !GetAtt LambdaEncryptionHelper.Arn
- KeyId: !Ref KMSHelperKey
- String: <whatever you want>