KMS Key Module
Deploy an AWS Key Management Service (KMS) customer-managed key for encryption.
What You'll Build
- KMS master key with custom key policy
- Automatic key rotation
- Key aliases for human-readable references
- Optional replica keys for multi-region deployment
- CloudTrail logging for key usage
How to Use
module "kms_key" {
source = "github.com/nnthanh101/terraform-aws/modules/kms"
description = "Encryption key for app data"
deletion_window_in_days = 30
enable_key_rotation = true
key_usage = "ENCRYPT_DECRYPT"
key_spec = "SYMMETRIC_DEFAULT"
enable_default_policy = true
aliases = ["alias/app-data", "alias/app-backups"]
grants = {
ebs = {
grantee_principal = aws_iam_role.ebs.arn
operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
}
rds = {
grantee_principal = aws_iam_role.rds.arn
operations = ["Decrypt", "GenerateDataKey"]
}
}
tags = {
Environment = "prod"
Purpose = "data-encryption"
}
}
Key Variables
| Variable | Type | Purpose |
|---|---|---|
description | string | Human-readable key description |
deletion_window_in_days | number | Grace period before key deletion (7-30) |
enable_key_rotation | bool | Automatic annual key rotation |
key_usage | string | "ENCRYPT_DECRYPT" or "SIGN_VERIFY" |
key_spec | string | "SYMMETRIC_DEFAULT", "RSA_2048", "SM2", etc. |
enable_default_policy | bool | Use AWS managed default policy |
aliases | list(string) | Human-readable key names |
grants | map(object) | Temporary permissions for services |
Outputs
| Output | Use Case |
|---|---|
key_id | Key ID for encrypt/decrypt API calls |
key_arn | ARN for IAM policy references |
key_policy | Current key policy document |
aliases | Alias ARNs for friendly references |
Integration
- EBS: Encrypt volumes with
ebs_encryption_enabled = true+ KMS key ARN - RDS: Enable
storage_encrypted = true+ reference KMS key - S3: Set default bucket encryption to KMS
- DynamoDB: Enable encryption at rest with KMS
- Secrets Manager: Encrypt secrets using KMS key
- EFS: Encrypt file system with KMS
Source Reference
Module: terraform-aws/modules/kms