Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket #28815

Closed
2 tasks done
blimmer opened this issue Jan 22, 2024 · 3 comments · Fixed by #28903
Closed
2 tasks done

(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket #28815

blimmer opened this issue Jan 22, 2024 · 3 comments · Fixed by #28903
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@blimmer
Copy link
Contributor

blimmer commented Jan 22, 2024

Describe the feature

Currently, the AppStagingSythesizer always creates a KMS key to encrypt the staging bucket:

const key = this.createBucketKey();
// Create the bucket once the dependencies have been created
const bucket = new s3.Bucket(this, bucketId, {
bucketName: stagingBucketName,
...(this.autoDeleteStagingAssets ? {
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
} : {
removalPolicy: RemovalPolicy.RETAIN,
}),
encryption: s3.BucketEncryption.KMS,
encryptionKey: key,
// Many AWS account safety checkers will complain when buckets aren't versioned
versioned: true,
// Many AWS account safety checkers will complain when SSL isn't enforced
enforceSSL: true,
});

It would be nice if we could opt into using the SSE-S3 keys instead.

Use Case

I'd like to start making more frequent use of the AppStagingSynthesizer. However, by forcing the use of a custom KMS key, each app using this synthesizer incurs a $1/month fee for the key.

Proposed Solution

The DefaultStackSynthesizer does not specify an encryption key and, thus, uses the SSE-S3 managed key by default. It feels like AppStagingSynthesizer should do the same thing by default. IMO, the custom KMS key feels like it should be an opt-in behavior for those who want it.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.122.0

Environment details (OS name and version, etc.)

MacOS

@blimmer blimmer added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 22, 2024
@github-actions github-actions bot added the @aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package label Jan 22, 2024
@moltar
Copy link
Contributor

moltar commented Jan 22, 2024

Just discovered the same foot-gun after looking at the AWS bill. It also appears that AppStagingSythesizer orphans the keys even after the staging stack and all app stacks are entirely deleted. I've discovered > 20 keys after just a few days of iteration on a solution.

@blimmer
Copy link
Contributor Author

blimmer commented Jan 22, 2024

Oh wow, yeah, definitely would want to put a DESTROY retention policy at the very least.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024
msambol added a commit to msambol/aws-cdk that referenced this issue Jan 29, 2024
kaizencc added a commit to msambol/aws-cdk that referenced this issue Jan 30, 2024
kaizencc added a commit to msambol/aws-cdk that referenced this issue Jan 30, 2024
@mergify mergify bot closed this as completed in #28903 Jan 30, 2024
mergify bot pushed a commit that referenced this issue Jan 30, 2024
…et (#28903)

Closes #28815.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

SankyRed pushed a commit that referenced this issue Feb 8, 2024
…et (#28903)

Closes #28815.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot pushed a commit that referenced this issue Feb 13, 2024
…cryption` and note that we intend to default to `S3_MANAGED` in the future (#28978)

### Issue # (if applicable)

Relates to #28815

### Reason for this change

The App Staging Synthesizer is great - I've moved to using it for most of my stacks. However, the current default uses a Customer-Managed KMS key, which costs $1/month.

The default synthesizer bucket uses SSE-S3 encryption by default. This is nice because users do not incur additional fees for a KMS key.

In my opinion, SSE-S3 is good enough for most people. If folks need additional security, they should opt-in to SSE-KMS, which they can do via the `stagingBucketEncryption` property @msambol introduced with #28903.

### Description of changes

With guidance from @kaizencc [below](#28978 (comment)), this PR makes `stagingBucketEncryption` a required property, with a user-facing note that we intend to default to `S3_MANAGED` as the module is stablized.

### Description of how you validated changes

Updated unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


BREAKING CHANGE: `stagingBucketEncryption` property is now required. For existing apps, specify `BucketEncryption.KMS` to retain existing behavior. For new apps, choose the bucket encryption that makes most sense for your use case. `BucketEncryption.S3_MANAGED` is available and is intended to be the default when this module is stabilized.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
GavinZZ pushed a commit that referenced this issue Feb 22, 2024
…cryption` and note that we intend to default to `S3_MANAGED` in the future (#28978)

### Issue # (if applicable)

Relates to #28815

### Reason for this change

The App Staging Synthesizer is great - I've moved to using it for most of my stacks. However, the current default uses a Customer-Managed KMS key, which costs $1/month.

The default synthesizer bucket uses SSE-S3 encryption by default. This is nice because users do not incur additional fees for a KMS key.

In my opinion, SSE-S3 is good enough for most people. If folks need additional security, they should opt-in to SSE-KMS, which they can do via the `stagingBucketEncryption` property @msambol introduced with #28903.

### Description of changes

With guidance from @kaizencc [below](#28978 (comment)), this PR makes `stagingBucketEncryption` a required property, with a user-facing note that we intend to default to `S3_MANAGED` as the module is stablized.

### Description of how you validated changes

Updated unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


BREAKING CHANGE: `stagingBucketEncryption` property is now required. For existing apps, specify `BucketEncryption.KMS` to retain existing behavior. For new apps, choose the bucket encryption that makes most sense for your use case. `BucketEncryption.S3_MANAGED` is available and is intended to be the default when this module is stabilized.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants