Skip to content

Commit e3024fc

Browse files
mellevanderlindemellevanderlinde
authored
fix(s3): key rotation is not enabled while creating KMS encrypted S3 buckets (#32064)
### Issue # (if applicable) Closes #31982 ### Reason for this change KMS keys should be rotated by default, for security reasons ### Description of changes KMS keys created by s3.Bucket are now rotated ### Description of how you validated changes Updated existing unit tests and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent f6ad9c9 commit e3024fc

26 files changed

+257
-61
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/IntegTestDSSEBucketDefaultTestDeployAssert56801A2F.assets.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/aws-cdk-s3-bucket-encryption.assets.json

+3-3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/aws-cdk-s3-bucket-encryption.template.json

+63-4
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@
1313
]
1414
}
1515
},
16-
"UpdateReplacePolicy": "Retain",
17-
"DeletionPolicy": "Retain"
16+
"UpdateReplacePolicy": "Delete",
17+
"DeletionPolicy": "Delete"
1818
},
1919
"MySSES3Bucket6973690D": {
2020
"Type": "AWS::S3::Bucket",
@@ -30,8 +30,67 @@
3030
]
3131
}
3232
},
33-
"UpdateReplacePolicy": "Retain",
34-
"DeletionPolicy": "Retain"
33+
"UpdateReplacePolicy": "Delete",
34+
"DeletionPolicy": "Delete"
35+
},
36+
"MyKMSBucketKey9CACDA9E": {
37+
"Type": "AWS::KMS::Key",
38+
"Properties": {
39+
"Description": "Created by aws-cdk-s3-bucket-encryption/MyKMSBucket",
40+
"EnableKeyRotation": true,
41+
"KeyPolicy": {
42+
"Statement": [
43+
{
44+
"Action": "kms:*",
45+
"Effect": "Allow",
46+
"Principal": {
47+
"AWS": {
48+
"Fn::Join": [
49+
"",
50+
[
51+
"arn:",
52+
{
53+
"Ref": "AWS::Partition"
54+
},
55+
":iam::",
56+
{
57+
"Ref": "AWS::AccountId"
58+
},
59+
":root"
60+
]
61+
]
62+
}
63+
},
64+
"Resource": "*"
65+
}
66+
],
67+
"Version": "2012-10-17"
68+
}
69+
},
70+
"UpdateReplacePolicy": "Delete",
71+
"DeletionPolicy": "Delete"
72+
},
73+
"MyKMSBucketDF8715AC": {
74+
"Type": "AWS::S3::Bucket",
75+
"Properties": {
76+
"BucketEncryption": {
77+
"ServerSideEncryptionConfiguration": [
78+
{
79+
"ServerSideEncryptionByDefault": {
80+
"KMSMasterKeyID": {
81+
"Fn::GetAtt": [
82+
"MyKMSBucketKey9CACDA9E",
83+
"Arn"
84+
]
85+
},
86+
"SSEAlgorithm": "aws:kms"
87+
}
88+
}
89+
]
90+
}
91+
},
92+
"UpdateReplacePolicy": "Delete",
93+
"DeletionPolicy": "Delete"
3594
}
3695
},
3796
"Parameters": {

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/cdk.out

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/manifest.json

+16-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/tree.json

+93-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.ts

+9
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,22 @@ const stack = new cdk.Stack(app, 'aws-cdk-s3-bucket-encryption');
88

99
new s3.Bucket(stack, 'MyDSSEBucket', {
1010
encryption: s3.BucketEncryption.DSSE_MANAGED,
11+
removalPolicy: cdk.RemovalPolicy.DESTROY,
1112
});
1213

1314
new s3.Bucket(stack, 'MySSES3Bucket', {
1415
encryption: s3.BucketEncryption.S3_MANAGED,
1516
bucketKeyEnabled: true,
17+
removalPolicy: cdk.RemovalPolicy.DESTROY,
1618
});
1719

20+
const kmsBucket = new s3.Bucket(stack, 'MyKMSBucket', {
21+
encryption: s3.BucketEncryption.KMS,
22+
removalPolicy: cdk.RemovalPolicy.DESTROY,
23+
});
24+
25+
kmsBucket.encryptionKey?.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
26+
1827
new integ.IntegTest(app, 'IntegTestDSSEBucket', {
1928
testCases: [stack],
2029
});

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/ServerAccessLogsSseKmsTestDefaultTestDeployAssertB937C102.assets.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/aws-cdk-s3-server-access-logs-sse-kms.assets.json

+3-3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/aws-cdk-s3-server-access-logs-sse-kms.template.json

+3-2
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
"Type": "AWS::KMS::Key",
55
"Properties": {
66
"Description": "Created by aws-cdk-s3-server-access-logs-sse-kms/ServerAccessLogsBucket",
7+
"EnableKeyRotation": true,
78
"KeyPolicy": {
89
"Statement": [
910
{
@@ -46,8 +47,8 @@
4647
"Version": "2012-10-17"
4748
}
4849
},
49-
"UpdateReplacePolicy": "Retain",
50-
"DeletionPolicy": "Retain"
50+
"UpdateReplacePolicy": "Delete",
51+
"DeletionPolicy": "Delete"
5152
},
5253
"ServerAccessLogsBucket05F29982": {
5354
"Type": "AWS::S3::Bucket",

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/cdk.out

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)