Skip to content

Commit

Permalink
feat!(app-staging-synthesizer-alpha): use S3-Managed encryption by de…
Browse files Browse the repository at this point in the history
…fault
  • Loading branch information
blimmer committed Feb 10, 2024
1 parent 0a84161 commit 2e504da
Show file tree
Hide file tree
Showing 20 changed files with 331 additions and 358 deletions.
6 changes: 3 additions & 3 deletions packages/@aws-cdk/app-staging-synthesizer-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -267,16 +267,16 @@ const app = new App({

### Staging Bucket Encryption

By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use
SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`.
By default, the staging resources will be stored in an S3 Bucket with S3 Managed encryption. To use
SSE-KMS, set `stagingBucketEncryption` to `BucketEncryption.KMS`.

```ts
import { BucketEncryption } from 'aws-cdk-lib/aws-s3';

const app = new App({
defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
appId: 'my-app-id',
stagingBucketEncryption: BucketEncryption.S3_MANAGED,
stagingBucketEncryption: BucketEncryption.KMS,
}),
});
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ export interface DefaultStagingStackOptions {
/**
* Encryption type for staging bucket
*
* @default - s3.BucketEncryption.KMS
* @default - s3.BucketEncryption.S3_MANAGED
*/
readonly stagingBucketEncryption?: s3.BucketEncryption;

Expand Down Expand Up @@ -226,7 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {

private readonly appId: string;
private readonly stagingBucketName?: string;
private stagingBucketEncryption?: s3.BucketEncryption;
private stagingBucketEncryption: s3.BucketEncryption;

/**
* File publish role ARN in asset manifest format
Expand Down Expand Up @@ -267,7 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {

this.deployRoleArn = props.deployRoleArn;
this.stagingBucketName = props.stagingBucketName;
this.stagingBucketEncryption = props.stagingBucketEncryption;
this.stagingBucketEncryption = props.stagingBucketEncryption ?? s3.BucketEncryption.S3_MANAGED;
const specializer = new StringSpecializer(this, props.qualifier);

this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer);
Expand Down Expand Up @@ -368,15 +368,6 @@ export class DefaultStagingStack extends Stack implements IStagingResources {

this.ensureFileRole();

let key = undefined;
if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) {
if (this.stagingBucketEncryption === undefined) {
// default is KMS as an AWS best practice, and for backwards compatibility
this.stagingBucketEncryption = s3.BucketEncryption.KMS;
}
key = this.createBucketKey();
}

// Create the bucket once the dependencies have been created
const bucket = new s3.Bucket(this, bucketId, {
bucketName: stagingBucketName,
Expand All @@ -387,7 +378,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
removalPolicy: RemovalPolicy.RETAIN,
}),
encryption: this.stagingBucketEncryption,
encryptionKey: key,
encryptionKey: this.stagingBucketEncryption === s3.BucketEncryption.KMS ? this.createBucketKey() : undefined,

// Many AWS account safety checkers will complain when buckets aren't versioned
versioned: true,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -277,26 +277,26 @@ describe(AppStagingSynthesizer, () => {
Status: 'Enabled',
}]),
},
// When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility
// When stagingBucketEncryption is not specified, it should be S3_MANAGED
BucketEncryption: {
ServerSideEncryptionConfiguration: [
{
ServerSideEncryptionByDefault: {
SSEAlgorithm: 'aws:kms',
SSEAlgorithm: 'AES256',
},
},
],
},
});
});

test('staging bucket with SSE-S3 encryption', () => {
test('staging bucket with SSE-KMS encryption', () => {
// GIVEN
app = new App({
defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
appId: APP_ID,
deployTimeFileAssetLifetime: Duration.days(1),
stagingBucketEncryption: BucketEncryption.S3_MANAGED,
stagingBucketEncryption: BucketEncryption.KMS,
}),
});
stack = new Stack(app, 'Stack', {
Expand All @@ -318,7 +318,7 @@ describe(AppStagingSynthesizer, () => {
ServerSideEncryptionConfiguration: [
{
ServerSideEncryptionByDefault: {
SSEAlgorithm: 'AES256',
SSEAlgorithm: 'aws:kms',
},
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,22 +85,6 @@
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"BucketKey7092080A",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand All @@ -113,105 +97,14 @@
]
}
},
"BucketKey7092080A": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Statement": [
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:CancelKeyDeletion",
"kms:Create*",
"kms:Delete*",
"kms:Describe*",
"kms:Disable*",
"kms:Enable*",
"kms:Get*",
"kms:List*",
"kms:Put*",
"kms:Revoke*",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:Update*"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
}
],
"Version": "2012-10-17"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"BucketKeyAlias69A0886F": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/cdk-default-resourcesmax-staging",
"TargetKeyId": {
"Fn::GetAtt": [
"BucketKey7092080A",
"Arn"
]
}
}
},
"CdkStagingBucket1636058C": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"KMSMasterKeyID": {
"Fn::GetAtt": [
"BucketKey7092080A",
"Arn"
]
},
"SSEAlgorithm": "aws:kms"
"SSEAlgorithm": "AES256"
}
}
]
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 2e504da

Please sign in to comment.