Ensure only a single CMK is created in AWS's KMS

371 views Asked by At

The AWS SDK allows one to programmatically create a new CMK.

However, I'd like to check whether or not a given CMK has already been created, and if so, just use it instead of re-creating it.

As far as I can tell, both the description and the alias are not unique identifiers, and unlike S3, they don't have unique names, so I'm not sure what other properties in the code one could use to check if a given CMK exists.

Any ideas on how I could do this? are there CMK properties that I'm missing?

1

There are 1 answers

0
Viccari On BEST ANSWER

From your question, it's not clear to me whether you want to:

1) tell whether one (any) CMK has already been created; or
2) tell whether a (specific) CMK has already been created;
3) guarantee that clients can't create more than one key;

For 1), you can use a combination of the ListKeys and DescribeKey APIs.

Like you pointed yourself, though, there is nothing unique you can specify during the creation of a key to later check for existence before using. so 2) is a little bit trickier. What you can do, right after creating a CMK, is to use the CreateAlias API. KMS guarantees a one-to-one mapping between aliases and CMKs, so you can do that and then call the DescribeKey API. DescribeKey accepts an alias as parameter, so that should give you what you need. Just check whether it exists, if so, reuse it, if not, create it.

If you're trying to accomplish 3, my suggestion is for you to create a CMK using the AWS console and assign a policy to the IAM role or user you're assuming when calling the SDK APIs to not be able to create CMKs.