From c97230a1ed3af249f6f87e36e818e50e954a9d05 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 28 Jan 2022 16:00:52 +0000 Subject: [PATCH] docs(dynamodb): add note around table encryption Whether creating a Table with a custom KMS key succeeds depends on the permissions on the key. The default permissions are correct, but only if the appropriate feature flag is set. Without changing code yet, add the caveat on proper configuration to the documentation. --- packages/@aws-cdk/aws-dynamodb/lib/table.ts | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts index 020ca091aa777..b109558752ab7 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/table.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/table.ts @@ -117,6 +117,12 @@ export enum TableEncryption { /** * Server-side KMS encryption with a customer master key managed by customer. * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined. + * + * > **NOTE**: if `encryptionKey` is not specified and the `Table` construct creates + * > a KMS key for you, the key will be created with default permissions. If you are using + * > CDKv2, these permissions will be sufficient to enable the key for use with DynamoDB tables. + * > If you are using CDKv1, make sure the feature flag `@aws-cdk/aws-kms:defaultKeyPolicies` + * > is set to `true` in your `cdk.json`. */ CUSTOMER_MANAGED = 'CUSTOMER_MANAGED', @@ -198,6 +204,13 @@ export interface TableOptions extends SchemaOptions { * * This property cannot be set if `serverSideEncryption` is set. * + * > **NOTE**: if you set this to `CUSTOMER_MANAGED` and `encryptionKey` is not + * > specified, the key that the Tablet generates for you will be created with + * > default permissions. If you are using CDKv2, these permissions will be + * > sufficient to enable the key for use with DynamoDB tables. If you are + * > using CDKv1, make sure the feature flag + * > `@aws-cdk/aws-kms:defaultKeyPolicies` is set to `true` in your `cdk.json`. + * * @default - server-side encryption is enabled with an AWS owned customer master key */ readonly encryption?: TableEncryption;