AWS::KMS::Grant

[carlnordenfelt]

1. Title:

New Resource: AWS::KMS::Grant

2. Scope of request:

New resource for KMS - Manage KMS Grants via CloudFormation

3. Expected behavior

Possible to manage KMS Grants directly through CloudFormation. This includes Create, Update & Revoke via the CloudFormation Create, Update & Delete actions.

4. Test cases

N/A

5. Helpful Links

https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html https://www.npmjs.com/package/lulo-plugin-kms-grant (CustomResource implementation)

6. Category:

Security, KMS

[lyoungblood]

This is painful. We also can't create the new asymmetric signing keys with CloudFormation. If AWS cloud doesn't care about full feature support security conscious customers will probably jump ship to GCP.

[vdanniel]

We need this!

[koen-serneels]

+2 on this. Currently a workaround for allowing it to be part of cfn would be to create a lambda calling the KMS API (https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/KMS.html#createGrant-property) but this feels overly complicated for something that should be a primary citizen in the cfn KMS namespace in the first place.

[sobil]

I too am looking for this feature in cfn.

Anyone tried this terraform alternative?: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant

[ArielPrevu3D]

As always, CDK users can use AwsCustomResource as a temporary workaround

[andreaswittig]

Cannot believe, that KMS Grants are still not supported by CloudFormation.

[banbone]

@sobil The terraform module works great, but I wish this was a feature in CFN. Having this would be a massive help.

[cloudwitch]

I'm currently staring at a 5 year old lambda custom resource in my cloudformation wondering if I will break things if this it is removed and we need to recreate the account from scratch.

Having it in real CFN would make it a whole lot clearer to me in 5 years when I do this whole song and dance again.