feat(kms): @aws-cdk/kms:applyImportedAliasPermissionsToPrincipal

Author: Farid Nouri Neshat

packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.alias-from-alias-name.ts

@@ -2,8 +2,11 @@ import { App, Stack } from 'aws-cdk-lib';
 import { Alias } from 'aws-cdk-lib/aws-kms';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { AccountRootPrincipal, Role } from 'aws-cdk-lib/aws-iam';
+import * as cxapi from 'aws-cdk-lib/cx-api';
 
-const app = new App();
+const app = new App({
+  context: { [cxapi.KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL]: true },
+});
 const stack = new Stack(app, 'aws-cdk-kms');
 const alias = Alias.fromAliasName(stack, 'alias', 'alias/MyKey');
 

packages/aws-cdk-lib/aws-kms/lib/alias.ts

@@ -6,7 +6,7 @@ import * as perms from './private/perms';
 import { FeatureFlags, RemovalPolicy, Resource, Stack, Token, Tokenization, ValidationError } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
-import { KMS_ALIAS_NAME_REF } from '../../cx-api';
+import { KMS_ALIAS_NAME_REF, KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL } from '../../cx-api';
 
 const REQUIRED_ALIAS_PREFIX = 'alias/';
 const DISALLOWED_PREFIX = REQUIRED_ALIAS_PREFIX + 'aws/';
@@ -206,6 +206,9 @@ export class Alias extends AliasBase {
       }
 
       public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+        if (!FeatureFlags.of(this).isEnabled(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL)) {
+          return iam.Grant.drop(grantee, '');
+        }
         return iam.Grant.addToPrincipal({
           grantee,
           actions,

packages/aws-cdk-lib/aws-kms/test/alias.test.ts

@@ -3,7 +3,7 @@ import { Template } from '../../assertions';
 import * as iam from '../../aws-iam';
 import { ArnPrincipal, PolicyStatement } from '../../aws-iam';
 import { App, Arn, Aws, CfnOutput, Stack } from '../../core';
-import { KMS_ALIAS_NAME_REF } from '../../cx-api';
+import { KMS_ALIAS_NAME_REF, KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL } from '../../cx-api';
 import { Alias } from '../lib/alias';
 import { IKey, Key } from '../lib/key';
 
@@ -215,6 +215,7 @@ test('imported alias by name - will throw an error when accessing the key', () =
 
 test('imported alias by name - grantDecrypt applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -252,6 +253,7 @@ test('imported alias by name - grantDecrypt applies kms:ResourceAliases conditio
 
 test('imported alias by name - grantEncrypt applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -289,6 +291,7 @@ test('imported alias by name - grantEncrypt applies kms:ResourceAliases conditio
 
 test('imported alias by name - grantEncryptDecrypt applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -326,6 +329,7 @@ test('imported alias by name - grantEncryptDecrypt applies kms:ResourceAliases c
 
 test('imported alias by name - grantSign applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -363,6 +367,7 @@ test('imported alias by name - grantSign applies kms:ResourceAliases condition',
 
 test('imported alias by name - grantVerify applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -400,6 +405,7 @@ test('imported alias by name - grantVerify applies kms:ResourceAliases condition
 
 test('imported alias by name - grantSignVerify applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -437,6 +443,7 @@ test('imported alias by name - grantSignVerify applies kms:ResourceAliases condi
 
 test('imported alias by name - grantGenerateMac applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -474,6 +481,7 @@ test('imported alias by name - grantGenerateMac applies kms:ResourceAliases cond
 
 test('imported alias by name - grantVerifyMac applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -511,6 +519,7 @@ test('imported alias by name - grantVerifyMac applies kms:ResourceAliases condit
 
 test('imported alias by name - grant method applies kms:ResourceAliases condition', () => {
   const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, true);
   const aliasName = 'alias/myAlias';
   const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
   const user = new iam.User(stack, 'User');
@@ -546,6 +555,22 @@ test('imported alias by name - grant method applies kms:ResourceAliases conditio
   });
 });
 
+test('imported alias by name - grant methods are no-op when feature flag disabled', () => {
+  const stack = new Stack();
+  stack.node.setContext(KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL, false);
+  const aliasName = 'alias/myAlias';
+  const myAlias = Alias.fromAliasName(stack, 'MyAlias', aliasName);
+  const user = new iam.User(stack, 'User');
+
+  myAlias.grantDecrypt(user);
+  myAlias.grantEncrypt(user);
+  myAlias.grantSign(user);
+  myAlias.grant(user, 'kms:CreateGrant');
+
+  // should not create any IAM policy statements
+  Template.fromStack(stack).resourceCountIs('AWS::IAM::Policy', 0);
+});
+
 test('fails if alias policy is invalid', () => {
   const app = new App();
   const stack = new Stack(app, 'my-stack');

packages/aws-cdk-lib/cx-api/README.md

@@ -310,6 +310,20 @@ _cdk.json_
 }
 ```
 
+* `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal`
+
+Enable grant methods on imported KMS Aliases to apply permissions scoped by the alias using the `kms:ResourceAliases` condition key. When this flag is disabled, grant* methods on `Alias.fromAliasName` remain no-ops to preserve existing behavior.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true
+  }
+}
+```
+
 * `@aws-cdk/aws-eks:nodegroupNameAttribute`
 
 When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -91,6 +91,7 @@ export const EC2_RESTRICT_DEFAULT_SECURITY_GROUP = '@aws-cdk/aws-ec2:restrictDef
 export const APIGATEWAY_REQUEST_VALIDATOR_UNIQUE_ID = '@aws-cdk/aws-apigateway:requestValidatorUniqueId';
 export const INCLUDE_PREFIX_IN_UNIQUE_NAME_GENERATION = '@aws-cdk/core:includePrefixInUniqueNameGeneration';
 export const KMS_ALIAS_NAME_REF = '@aws-cdk/aws-kms:aliasNameRef';
+export const KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL = '@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal';
 export const EFS_DENY_ANONYMOUS_ACCESS = '@aws-cdk/aws-efs:denyAnonymousAccess';
 export const EFS_MOUNTTARGET_ORDERINSENSITIVE_LOGICAL_ID = '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId';
 export const AUTOSCALING_GENERATE_LAUNCH_TEMPLATE = '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig';
@@ -844,6 +845,19 @@ export const FLAGS: Record<string, FlagInfo> = {
     recommendedValue: true,
   },
 
+  //////////////////////////////////////////////////////////////////////
+  [KMS_APPLY_IMPORTED_ALIAS_PERMISSIONS_TO_PRINCIPAL]: {
+    type: FlagType.BugFix,
+    summary: 'Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition',
+    detailsMd: `
+      This flag enables the grant methods (grant, grantDecrypt, grantEncrypt, etc.) on Aliases imported
+      by name to grant permissions based on the 'kms:ResourceAliases' condition rather than no-op grants.
+      When disabled, grant calls on imported aliases will be dropped (no-op) to maintain compatibility.
+    `,
+    introducedIn: { v2: 'V2NEXT' },
+    recommendedValue: true,
+  },
+
   //////////////////////////////////////////////////////////////////////
   [AUTOSCALING_GENERATE_LAUNCH_TEMPLATE]: {
     type: FlagType.BugFix,