Add support for asymmetric keys

[jtcul]

Issue #, if available:

N/A

Description of changes:

• Adds support for asymmetric KMS keys
• Adds contract tests for asymmetric keys
• Refactored the update handler so that errors from updateKeyRotationStatus and updateKeyStatus are returned properly
• Improved the depth of the Create / Read handler unit tests
• Added a gitignore
• Increased the memory allocated to the lambda functions (Allows for the contract tests to work on MacOS)

New wording:

• "Specifies the type of CMK to create. The default value is SYMMETRIC_DEFAULT. This parameter is required only for asymmetric CMKs. You can't change the KeySpec value after the CMK is created."
• "You cannot set the EnableKeyRotation property to true on asymmetric keys."

Questions for CloudFormation Reviewers:

• Is there a way for us to specify our defaults such that the following update does not cause re-creation of the physical resource? Going from a template with only a key policy, to a template that explicitly specifies the default KeyUsage and KeySpec causes the resource to be re-created. This behavior is undesirable as the key should be the same, but it will no longer be able to decrypt data encrypted by the original key.

Original Template:

Resources:
  KeyResource:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Ref 'AWS::AccountId'
            Action: 'kms:*'
            Resource: '*'
Outputs:
  KeyId:
    Value: !Ref KeyResource

Updated Template:

Resources:
  KeyResource:
    Type: AWS::KMS::Key
    Properties:
      KeyUsage: ENCRYPT_DECRYPT
      KeySpec: SYMMETRIC_DEFAULT
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Ref 'AWS::AccountId'
            Action: 'kms:*'
            Resource: '*'
Outputs:
  KeyId:
    Value: !Ref KeyResource

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[pezzullig]

Great! this looks so close 👍. Any idea on a release date?

[jtcul]

Great! this looks so close 👍. Any idea on a release date?

We don’t have a release date to announce at this time, but by following this repo, you’ll be notified if a new release contains support.