Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-s3): Logging Bucket blocks KMS_MANAGED encryption #23513

Closed
biffgaut opened this issue Dec 30, 2022 · 6 comments · Fixed by #23514
Closed

(aws-s3): Logging Bucket blocks KMS_MANAGED encryption #23513

biffgaut opened this issue Dec 30, 2022 · 6 comments · Fixed by #23514
Assignees
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@biffgaut
Copy link
Contributor

Describe the bug

PR 23385 introduced a check to block launching S3 access log buckets with KMS encryption. S3 does not support access log buckets with KMS encryption, so previously these stacks would launch but fail to generate any logs. This PR would throw an Error when this occurred.

The PR included KMS_MANAGED in the list of blocked encryptions, but tests show that S3 buckets with KMS_MANAGED encryption can accepts logs. So the application threw an error for configurations that were valid.

KMS_MANAGED needs to be removed from the list of encryptions flagged by the code.

Expected Behavior

This code should not throw an error:

    const stack = new cdk.Stack();
    new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS_MANAGED, serverAccessLogsPrefix: 'test' });

Current Behavior

That code throws 'SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets'

Reproduction Steps

    // This code should not throw an error upon deployment
    new s3.Bucket(this, 'selfKmsManagedEnc', {
      bucketName: 'bgc-source-selflogging-kmsmanaged-encryption',
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
      serverAccessLogsPrefix: 'logs',
      encryption: BucketEncryption.KMS_MANAGED
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.57.0

Framework Version

No response

Node.js Version

v14.21.1

OS

macOS Monterey 12.7.1

Language

Typescript

Language Version

No response

Other information

No response

@biffgaut biffgaut added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 30, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Dec 30, 2022
@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 30, 2022
@ibliskavka
Copy link

@biffgaut, this came as a surprise to me too. We have been using access logging buckets with KMS encryption, but online docs state that it is not.

Source:

  • If default encryption is turned on for the target bucket, AES256 (SSE-S3) must be selected

  • If you use default encryption on the target bucket, then confirm that AES-256 (SSE-S3) is selected as the encryption key. Encryption using AWS-KMS (SSE-KMS) is not supported. For instructions on how to configure default encryption using the Amazon S3 console, see Turning on Amazon S3 default bucket encryption.

@biffgaut
Copy link
Contributor Author

biffgaut commented Jan 5, 2023

Pretty sure that if you look at your log buckets you'll find that the logs are not actually getting created (if your log bucket is indeed KMS encrypted). This was addressed in a recent release - the new error message didn't break any working code, it just alerted people that their code had not actually been working.

KMS_MANAGED encryption is a different beast - if you log to a bucket with KMS_MANAGED encryption the infrastructure created by the CDK Bucket construct will create the log files. But the encryption key is not available to your account and you will be unable to read those log files. So flagging an error for KMS_MANAGED log buckets is also appropriate, just for a different reason.

So the code snippet in Expected Behavior above should throw an error, so I'm going to close this issue.

@biffgaut biffgaut closed this as completed Jan 5, 2023
@github-actions
Copy link

github-actions bot commented Jan 5, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit that referenced this issue Feb 10, 2023
----
closes #23513

### All Submissions:

* [ x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@jeffgardnerdev
Copy link

@biffgaut I am getting this error after upgrading an existing app but can confirm that the configuration is working properly--access logs are being sent to the KMS encrypted log target bucket and I am able to download and view them.

My log target bucket has the encryptionKey and bucketKeyEnabled: true props passed in.

I'll note that logs were not getting delivered initially but it started working when I gave logging.s3.amazonaws.com the proper permissions in the KMS key's key policy.

I know that the documentation indicates that only SSE-S3 is supported, but it doesn't seem to be the case.

@zdf1230
Copy link
Contributor

zdf1230 commented Mar 24, 2023

I agreed with @jeffgardnerdev. I am using KMS encryption with logging.s3.amazonaws.com permission attached to the key of course. It works fine on my side - log is generating. So, I don't think we should have these checks which are breaking changes.

@zdf1230
Copy link
Contributor

zdf1230 commented Jun 12, 2023

I put a fix for this. #25350. It is available after v2.81.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants