fix(s3): KMS encryption works fine for server access logging target buckets #24789
Conversation
github-actions
bot
added
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
zdf1230
changed the title
|
Exemption Request Integration tests succeeded and this change won't change snapshot. |
aws-cdk-automation
added
the
pr-linter/exemption-requested
| }).not.toThrowError(); | ||
| }); | ||
|
|
||
| test('logs to self, KMS encryption with key throws error', () => { | ||
| test('logs to self, KMS encryption with key does nor throw error', () => { | ||
| const stack = new cdk.Stack(); | ||
| const key = new kms.Key(stack, 'TestKey'); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { encryptionKey: key, encryption: s3.BucketEncryption.KMS, serverAccessLogsPrefix: 'test' }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); | ||
| }); | ||
|
|
||
| test('logs to self, KMS key with no specific encryption specified throws error', () => { | ||
| test('logs to self, KMS key with no specific encryption specified does not throw error', () => { | ||
| const stack = new cdk.Stack(); | ||
| const key = new kms.Key(stack, 'TestKey'); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { encryptionKey: key, serverAccessLogsPrefix: 'test' }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
| if (!props.serverAccessLogsBucket && props.encryption === BucketEncryption.KMS_MANAGED) { | ||
| throw new Error('Default bucket encryption with KMS managed key is not supported for Server Access Logging target buckets'); |
There was a problem hiding this comment.
If this is the case, we should have integ tests where encryption is set to BucketEncryption.KMS with an encryptionKey and without an encryptionKey set.
There was a problem hiding this comment.
The case you talked about is checked under function parseEncryption.
// if encryption key is set, encryption must be set to KMS.
if (encryptionType !== BucketEncryption.KMS && props.encryptionKey) {
throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS (value: ${encryptionType})`);
}
The change I modified here is mean to fail the build when the server access logs bucket being set as itself and the bucket encryption is set to KMS_MANAGED. In this case, though the resource can be successfully deployed, we cannot modified the encryption key owned by KMS. The key and the bucket need proper permission to make the whole logging workflow work. So, people won't able to get access log from the bucket or the log would be unreadable.
This change won't affect snapshot at all.
| const stack = new cdk.Stack(); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS, serverAccessLogsPrefix: 'test' }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
There was a problem hiding this comment.
The original logic would throw the error for the case which should not be. And none of these changes are affecting template output. They just mean to fail the build earlier to prevent some non-working situation.
My change is just remove some failed checking condition which is actually working case.
As my change won't affect generating template output, I don't think there is anything I can do there.
| const stack = new cdk.Stack(); | ||
| const key = new kms.Key(stack, 'TestKey'); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { encryptionKey: key, encryption: s3.BucketEncryption.KMS, serverAccessLogsPrefix: 'test' }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
| const stack = new cdk.Stack(); | ||
| const logBucket = new s3.Bucket(stack, 'testLogBucket', { encryption: s3.BucketEncryption.KMS }); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { serverAccessLogsBucket: logBucket }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
| const stack = new cdk.Stack(); | ||
| const key = new kms.Key(stack, 'TestKey'); | ||
| const logBucket = new s3.Bucket(stack, 'testLogBucket', { encryptionKey: key, encryption: s3.BucketEncryption.KMS }); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { serverAccessLogsBucket: logBucket }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
| const stack = new cdk.Stack(); | ||
| const key = new kms.Key(stack, 'TestKey'); | ||
| const logBucket = new s3.Bucket(stack, 'testLogBucket', { encryptionKey: key }); | ||
| expect(() => { | ||
| new s3.Bucket(stack, 'MyBucket', { serverAccessLogsBucket: logBucket }); | ||
| }).toThrow(/SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets/); | ||
| }).not.toThrowError(); |
There was a problem hiding this comment.
These should test against the expected template output, not just that is doesn't throw an error.
TheRealAmazonKendra
removed
the
pr-linter/exemption-requested
|
Removing request for exemption per my comments in my review. |
|
Thanks for the comments. I replied them. Please let me know if anything is uncleared. As I commented, I still think I need the Exemption Request. |
aws-cdk-automation
added
the
pr-linter/exemption-requested
zdf1230
requested review from
TheRealAmazonKendra and
aws-cdk-automation
and removed request for
TheRealAmazonKendra and
aws-cdk-automation
|
Clarification Request |
aws-cdk-automation
added
the
pr/reviewer-clarification-requested
zdf1230
requested review from
aws-cdk-automation and
TheRealAmazonKendra
and removed request for
TheRealAmazonKendra and
aws-cdk-automation
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
2 similar comments
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
KMS encryption works fine for server access logging target buckets with proper permission being setup
There were 2 changes wants to solve the issue that buckets with SSE-KMS silently fail to receive logs.
#23514 & #23385
The changes would let it fail early in build time when SSE-KMS being set for server access logging bucket. But it actually works when user use SSE-KMS with customized encryption key. Just need to add KMS Read Write policy for
logging.s3.amazonaws.comto the key and add S3 Put Object permission forlogging.s3.amazonaws.com.So this change is removing the condition failing for the SSE-KMS with customized encryption key case.
However, it is not possible to know which encryption type for the server access logging bucket, so the only checking can be applied after this change merged is failing when logging to self case using
BucketEncryption.KMS_MANAGED.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license