fix(sns-subscriptions): SQS queue encrypted by AWS managed KMS key is allowed to be specified as subscription and dead-letter queue #26110
Conversation
… allowed to be specified as subscription and dead-letter queue.
|
|
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
Exemption Request because this change includes only additional validations. Please let me know if adding integration test is needed. |
aws-cdk-automation
added
pr-linter/exemption-requested
| @@ -38,6 +38,18 @@ export class SqsSubscription implements sns.ITopicSubscription { | |||
| } | |||
| const snsServicePrincipal = new iam.ServicePrincipal('sns.amazonaws.com'); | |||
|
|
|||
| // if the queue is encrypted by AWS managed KMS key (alias/aws/sqs), | |||
| // throw error message | |||
| if ((this.queue.node.defaultChild as sqs.CfnQueue).kmsMasterKeyId == 'alias/aws/sqs') { | |||
There was a problem hiding this comment.
We also need to handle the case where the queue is imported IQueue in which
case there will not be a default child.
I think we may want to add a new attribute to the IQueue, something like
encryptionType that holds the type of encryption.
There was a problem hiding this comment.
Hi @corymhall, thank you for your review! I understand your concern.
If users import the queue via fromQueueArn method, CDK cannot determine whether the queue is encrypted by AWS managed KMS key or not.
aws-cdk/packages/aws-cdk-lib/aws-sqs/lib/queue.ts
Lines 268 to 287 in f8a94d8
So in my understanding, we can't validate it completely in that case. I think one possible solution is skipping the validation if encryptionMasterKey is undefined to prevent error due to missing default child. Does it make sense?
There was a problem hiding this comment.
I believe users can provide the key in fromQueueAttributes so if the encryptionType is undefined then we don't do the validation.
There was a problem hiding this comment.
Please let me clarify. In you assumption, what type of value encryptionType has? Is the same value as QueueEncryption enum?
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueEncryption.html
|
|
||
| // if the dead-letter queue is encrypted by AWS managed KMS key (alias/aws/sqs), | ||
| // throw error message | ||
| if (this.props.deadLetterQueue && (this.props.deadLetterQueue.node.defaultChild as sqs.CfnQueue).kmsMasterKeyId == 'alias/aws/sqs') { |
corymhall
removed
the
pr/needs-community-review
|
@tam0ri Are you still able to address the outstanding comments? |
|
@mrgrain |
Yes of course! Take as much time you need. If the automation closes this PR, just open a new one and feel free to tag me in it. 😃 |
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
@corymhall Sorry for delay, I made some changes per your suggestion. Could you review it again? |
corymhall
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
… allowed to be specified as subscription and dead-letter queue (aws#26110) To send message to SQS queues encrypted by KMS from SNS, we need to grant SNS service-principal access to the key by key policy. From this reason, we need to use customer managed key because we can't edit key policy for AWS managed key. However, CDK makes it easy to create such a non-functional subscription. To prevent CDK from making such a subscription, I added the validation which throw an error when SQS queue encrypted by AWS managed KMS key is specified as subscription or dead-letter queue. Closes aws#19796 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
To send message to SQS queues encrypted by KMS from SNS, we need to grant SNS service-principal access to the key by key policy. From this reason, we need to use customer managed key because we can't edit key policy for AWS managed key. However, CDK makes it easy to create such a non-functional subscription.
To prevent CDK from making such a subscription, I added the validation which throw an error when SQS queue encrypted by AWS managed KMS key is specified as subscription or dead-letter queue.
Closes #19796
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license