A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) rotation events. (When you enable annual rotation of a CMK's key material, AWS KMS creates new key material for the CMK each year and sends a corresponding event to CloudWatch Events).
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
EventRule:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-kms-cmk-rotation
Description: >-
A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key
(CMK) rotation events. (When you enable annual rotation of a CMK's key
material, AWS KMS creates new key material for the CMK each year and
sends a corresponding event to CloudWatch Events).
State: ENABLED
Targets:
- Arn:
Ref: SnsTopic
Id: target-id1
EventPattern:
detail-type:
- KMS CMK Rotation
source:
- aws.kms
SnsTopic:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: event-rule-action
SnsTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: '*'
Action:
- 'SNS:GetTopicAttributes'
- 'SNS:SetTopicAttributes'
- 'SNS:AddPermission'
- 'SNS:RemovePermission'
- 'SNS:DeleteTopic'
- 'SNS:Subscribe'
- 'SNS:ListSubscriptionsByTopic'
- 'SNS:Publish'
- 'SNS:Receive'
Resource:
Ref: SnsTopic
Condition:
StringEquals:
'AWS:SourceOwner':
Ref: 'AWS::AccountId'
- Sid: TrustCWEToPublishEventsToMyTopic
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource:
Ref: SnsTopic
Topics:
- Ref: SnsTopic
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Documentation
Additional Documentation: