Secrets section, in the LambdaSharp Module, lists which KMS keys can be used to decrypt parameter values. The module IAM role will get the
mks:Decrypt permission to use these keys.
NOTE: it is strongly recommended to use the
Secrets module parameter instead of the
Secrets module section. The latter hard-codes the KMS keys that can be used by the module, which may be convenient for prototyping, but reduces the flexibility for deploying the module in different environments.
Secrets: - Secret-Alias-or-ARN
When KMS key is referenced by an alias, it is resolved on the account used when deploying the CloudFormation template.
Secrets: - alias/KeyAlias
When a KMS key is referenced using an ARN, it is used as is.
Secrets: - arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890
AWS does not allow referencing the built-in KMS key for the AWS Parameter Store (i.e.