Revert "fix(sns-subscriptions): SQS queue encrypted by AWS managed KM…

…S key is allowed to be specified as subscription and dead-letter queue (#26110)"

This reverts commit 0531492.

packages/aws-cdk-lib/aws-sns-subscriptions/lib/sqs.ts

@@ -38,18 +38,6 @@ export class SqsSubscription implements sns.ITopicSubscription {
     }
     const snsServicePrincipal = new iam.ServicePrincipal('sns.amazonaws.com');
 
-    // if the queue is encrypted by AWS managed KMS key (alias/aws/sqs),
-    // throw error message
-    if (this.queue.encryptionType === sqs.QueueEncryption.KMS_MANAGED) {
-      throw new Error('SQS queue encrypted by AWS managed KMS key cannot be used as SNS subscription');
-    }
-
-    // if the dead-letter queue is encrypted by AWS managed KMS key (alias/aws/sqs),
-    // throw error message
-    if (this.props.deadLetterQueue && this.props.deadLetterQueue.encryptionType === sqs.QueueEncryption.KMS_MANAGED) {
-      throw new Error('SQS queue encrypted by AWS managed KMS key cannot be used as dead-letter queue');
-    }
-
     // add a statement to the queue resource policy which allows this topic
     // to send messages to the queue.
     const queuePolicyDependable = this.queue.addToResourcePolicy(new iam.PolicyStatement({

packages/aws-cdk-lib/aws-sns-subscriptions/test/subs.test.ts

@@ -1193,46 +1193,6 @@ describe('Restrict sqs decryption feature flag', () => {
   });
 });
 
-test('throws an error when a queue is encrypted by AWS managed KMS kye for queue subscription', () => {
-  // WHEN
-  const queue = new sqs.Queue(stack, 'MyQueue', {
-    encryption: sqs.QueueEncryption.KMS_MANAGED,
-  });
-
-  // THEN
-  expect(() => topic.addSubscription(new subs.SqsSubscription(queue)))
-    .toThrowError(/SQS queue encrypted by AWS managed KMS key cannot be used as SNS subscription/);
-});
-
-test('throws an error when a dead-letter queue is encrypted by AWS managed KMS kye for queue subscription', () => {
-  // WHEN
-  const queue = new sqs.Queue(stack, 'MyQueue');
-  const dlq = new sqs.Queue(stack, 'MyDLQ', {
-    encryption: sqs.QueueEncryption.KMS_MANAGED,
-  });
-
-  // THEN
-  expect(() => topic.addSubscription(new subs.SqsSubscription(queue, {
-    deadLetterQueue: dlq,
-  })))
-    .toThrowError(/SQS queue encrypted by AWS managed KMS key cannot be used as dead-letter queue/);
-});
-
-test('importing SQS queue and specify this as subscription', () => {
-  // WHEN
-  const queue = sqs.Queue.fromQueueArn(stack, 'Queue', 'arn:aws:sqs:us-east-1:123456789012:queue1');
-  topic.addSubscription(new subs.SqsSubscription(queue));
-
-  // THEN
-  Template.fromStack(stack).hasResourceProperties('AWS::SNS::Subscription', {
-    'Endpoint': 'arn:aws:sqs:us-east-1:123456789012:queue1',
-    'Protocol': 'sqs',
-    'TopicArn': {
-      'Ref': 'MyTopic86869434',
-    },
-  });
-});
-
 test('lambda subscription', () => {
   const func = new lambda.Function(stack, 'MyFunc', {
     runtime: lambda.Runtime.NODEJS_14_X,

packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts

@@ -36,11 +36,6 @@ export interface IQueue extends IResource {
    */
   readonly fifo: boolean;
 
-  /**
-   * Whether the contents of the queue are encrypted, and by what type of key.
-   */
-  readonly encryptionType?: QueueEncryption;
-
   /**
    * Adds a statement to the IAM resource policy associated with this queue.
    *
@@ -131,11 +126,6 @@ export abstract class QueueBase extends Resource implements IQueue {
    */
   public abstract readonly fifo: boolean;
 
-  /**
-   * Whether the contents of the queue are encrypted, and by what type of key.
-   */
-  public abstract readonly encryptionType?: QueueEncryption;
-
   /**
    * Controls automatic creation of policy objects.
    *
@@ -311,33 +301,3 @@ export interface QueueAttributes {
    */
   readonly fifo?: boolean;
 }
-
-/**
- * What kind of encryption to apply to this queue
- */
-export enum QueueEncryption {
-  /**
-   * Messages in the queue are not encrypted
-   */
-  UNENCRYPTED = 'NONE',
-
-  /**
-   * Server-side KMS encryption with a KMS key managed by SQS.
-   */
-  KMS_MANAGED = 'KMS_MANAGED',
-
-  /**
-   * Server-side encryption with a KMS key managed by the user.
-   *
-   * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
-   */
-  KMS = 'KMS',
-
-  /**
-   * Server-side encryption key managed by SQS (SSE-SQS).
-   *
-   * To learn more about SSE-SQS on Amazon SQS, please visit the
-   * [Amazon SQS documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html).
-   */
-  SQS_MANAGED = 'SQS_MANAGED'
-}

packages/aws-cdk-lib/aws-sqs/lib/queue.ts

@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { IQueue, QueueAttributes, QueueBase, QueueEncryption } from './queue-base';
+import { IQueue, QueueAttributes, QueueBase } from './queue-base';
 import { CfnQueue } from './sqs.generated';
 import { validateProps } from './validate-props';
 import * as iam from '../../aws-iam';
@@ -195,6 +195,36 @@ export interface DeadLetterQueue {
   readonly maxReceiveCount: number;
 }
 
+/**
+ * What kind of encryption to apply to this queue
+ */
+export enum QueueEncryption {
+  /**
+   * Messages in the queue are not encrypted
+   */
+  UNENCRYPTED = 'NONE',
+
+  /**
+   * Server-side KMS encryption with a KMS key managed by SQS.
+   */
+  KMS_MANAGED = 'KMS_MANAGED',
+
+  /**
+   * Server-side encryption with a KMS key managed by the user.
+   *
+   * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
+   */
+  KMS = 'KMS',
+
+  /**
+   * Server-side encryption key managed by SQS (SSE-SQS).
+   *
+   * To learn more about SSE-SQS on Amazon SQS, please visit the
+   * [Amazon SQS documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html).
+   */
+  SQS_MANAGED = 'SQS_MANAGED'
+}
+
 /**
  * What kind of deduplication scope to apply
  */
@@ -256,9 +286,6 @@ export class Queue extends QueueBase {
         ? kms.Key.fromKeyArn(this, 'Key', attrs.keyArn)
         : undefined;
       public readonly fifo: boolean = this.determineFifo();
-      public readonly encryptionType = attrs.keyArn
-        ? QueueEncryption.KMS
-        : undefined;
 
       protected readonly autoCreatePolicy = false;
 
@@ -310,11 +337,6 @@ export class Queue extends QueueBase {
    */
   public readonly fifo: boolean;
 
-  /**
-   * Whether the contents of the queue are encrypted, and by what type of key.
-   */
-  public readonly encryptionType?: QueueEncryption;
-
   /**
    * If this queue is configured with a dead-letter queue, this is the dead-letter queue settings.
    */
@@ -362,7 +384,6 @@ export class Queue extends QueueBase {
     this.encryptionMasterKey = encryptionMasterKey;
     this.queueUrl = queue.ref;
     this.deadLetterQueue = props.deadLetterQueue;
-    this.encryptionType = props.encryption;
 
     function _determineEncryptionProps(this: Queue): { encryptionProps: EncryptionProps, encryptionMasterKey?: kms.IKey } {
       let encryption = props.encryption;

packages/aws-cdk-lib/aws-sqs/test/sqs.test.ts

@@ -182,15 +182,6 @@ describe('export and import', () => {
     expect(fifoQueue.fifo).toEqual(true);
   });
 
-  test('importing with keyArn and encryptionType is set correctly', () => {
-    const stack = new Stack();
-    const queue = sqs.Queue.fromQueueAttributes(stack, 'Queue', {
-      queueArn: 'arn:aws:sqs:us-east-1:123456789012:queue1',
-      keyArn: 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
-    });
-    expect(queue.encryptionType).toEqual(sqs.QueueEncryption.KMS);
-  });
-
   test('import queueArn from token, fifo and standard queues can be defined', () => {
     // GIVEN
     const stack = new Stack();
@@ -366,7 +357,7 @@ describe('queue encryption', () => {
   test('a kms key will be allocated if encryption = kms but a master key is not specified', () => {
     const stack = new Stack();
 
-    const queue = new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.KMS });
+    new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.KMS });
 
     Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', Match.anyValue());
     Template.fromStack(stack).hasResourceProperties('AWS::SQS::Queue', {
@@ -377,14 +368,12 @@ describe('queue encryption', () => {
         ],
       },
     });
-    expect(queue.encryptionType).toEqual(sqs.QueueEncryption.KMS);
   });
 
   test('it is possible to use a managed kms key', () => {
     const stack = new Stack();
 
-    const queue = new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.KMS_MANAGED });
-
+    new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.KMS_MANAGED });
     Template.fromStack(stack).templateMatches({
       'Resources': {
         'Queue4A7E3555': {
@@ -397,7 +386,6 @@ describe('queue encryption', () => {
         },
       },
     });
-    expect(queue.encryptionType).toEqual(sqs.QueueEncryption.KMS_MANAGED);
   });
 
   test('grant also affects key on encrypted queue', () => {
@@ -445,8 +433,7 @@ describe('queue encryption', () => {
   test('it is possible to use sqs managed server side encryption', () => {
     const stack = new Stack();
 
-    const queue = new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.SQS_MANAGED });
-
+    new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.SQS_MANAGED });
     Template.fromStack(stack).templateMatches({
       'Resources': {
         'Queue4A7E3555': {
@@ -459,13 +446,12 @@ describe('queue encryption', () => {
         },
       },
     });
-    expect(queue.encryptionType).toEqual(sqs.QueueEncryption.SQS_MANAGED);
   });
 
   test('it is possible to disable encryption (unencrypted)', () => {
     const stack = new Stack();
 
-    const queue = new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.UNENCRYPTED });
+    new sqs.Queue(stack, 'Queue', { encryption: sqs.QueueEncryption.UNENCRYPTED });
     Template.fromStack(stack).templateMatches({
       'Resources': {
         'Queue4A7E3555': {
@@ -478,7 +464,6 @@ describe('queue encryption', () => {
         },
       },
     });
-    expect(queue.encryptionType).toEqual(sqs.QueueEncryption.UNENCRYPTED);
   });
 
   test('encryptionMasterKey is not supported if encryption type SQS_MANAGED is used', () => {