KMS Key Basic
๐ฆ Overviewโ
This Terraform module provisions a basic AWS KMS (Key Management Service) key for centralized encryption needs.
It enables secure, reusable key management for S3, Lambda, EBS, and other AWS services.
โ Key Featuresโ
- Creates a customer-managed KMS key
- Supports alias creation for easy reference
- Includes tagging for environment-level organization
- Enables encryption compliance across AWS workloads
๐ผ Use Casesโ
- Encrypting S3 buckets, EBS volumes, RDS snapshots, or Lambda environment variables
- Centralized encryption management for application secrets and data
- Compliance with data-at-rest encryption mandates (e.g., HIPAA, PCI-DSS)
- Replacing default AWS-managed keys with customer-managed ones
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region to deploy the KMS key |
| alias | string | User-defined alias for the key (e.g., alias/archiphire-key) |
| environment | string | Tag to specify the deployment environment (e.g., dev, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| key_id | The unique identifier of the KMS key |
| key_arn | The Amazon Resource Name of the key |
| alias_name | The alias associated with the KMS key |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Tested with AWS provider 5.x
- ๐งช Requires IAM permissions for
kms:*or specific key actions
๐ ๏ธ Example Usageโ
module "kms_key_basic" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//security/kms-key-basic?ref=v1.0.0"
region = "us-east-1"
alias = "alias/archiphire-app-key"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Deletion (for production):
aws kms schedule-key-deletion --key-id "key_id" --pending-window-in-days 7
Use aws kms list-keys and describe-key to identify your KMS key.
๐ก๏ธ Notesโ
This is a Level 1 security module intended for baseline encryption use. To extend functionality, attach custom key policies or grant cross-account access.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.