fix(core): encrypting sns topic for static-ip-server

Creating a new CMK and encrypting the SNS topic used for creating ASG lifecycle hooks for StaticPrivateIpServer. * Added unit tests for all newly created and modified resources. * Deployed the ASG and verified that lifecycle hooks works.
aws · Jul 24, 2020 · a79b8f6 · a79b8f6
1 parent 677f6f6
commit a79b8f6
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 2 deletions.
diff --git a/packages/aws-rfdk/lib/core/lib/staticip-server.ts b/packages/aws-rfdk/lib/core/lib/staticip-server.ts
@@ -32,6 +32,7 @@ import {
   Role,
   ServicePrincipal,
 } from '@aws-cdk/aws-iam';
+import {Key} from '@aws-cdk/aws-kms';
 import {
   Code,
   Function as LambdaFunction,
@@ -51,6 +52,7 @@ import {
   Construct,
   Duration,
   Lazy,
+  RemovalPolicy,
   Stack,
   Tag,
 } from '@aws-cdk/core';
@@ -392,9 +394,21 @@ export class StaticPrivateIpServer extends Construct implements IConnectable, IG
         assumedBy: new ServicePrincipal('autoscaling.amazonaws.com'),
       });
 
+      const notificationTopicEncryptKeyUniqueId = 'SNSEncryptionKey' + this.removeHyphens('255e9e52-ad03-4ddf-8ff8-274bc10d63d1');
+      const notificationTopicEncryptKey = new Key(stack, notificationTopicEncryptKeyUniqueId, {
+        description: `This key is used to encrypt SNS messages for ${notificationTopicUniqueId}.`,
+        enableKeyRotation: true,
+        removalPolicy: RemovalPolicy.DESTROY,
+        trustAccountIdentities: true,
+      });
+
       notificationTopic = new Topic(stack, notificationTopicUniqueId, {
         displayName: `Created by AWS-RFDK StaticPrivateIpServer for instance-launch notifications for stack '${stack.stackName}'`,
+        masterKey: notificationTopicEncryptKey,
       });
+
+      notificationTopicEncryptKey.grant(notificationRole, 'kms:Decrypt', 'kms:GenerateDataKey');
+
       notificationTopic.addSubscription(new LambdaSubscription(lambdaHandler));
       notificationTopic.grantPublish(notificationRole);
     } else {

diff --git a/packages/aws-rfdk/lib/core/test/staticip-server.test.ts b/packages/aws-rfdk/lib/core/test/staticip-server.test.ts
@@ -8,6 +8,7 @@ import {
   countResources,
   countResourcesLike,
   expect as cdkExpect,
+  expect as expectCDK,
   haveResourceLike,
   objectLike,
   ResourcePart,
@@ -24,8 +25,7 @@ import {
   Duration,
   Stack,
 } from '@aws-cdk/core';
-
-import { StaticPrivateIpServer } from '../lib';
+import {StaticPrivateIpServer} from '../lib';
 
 describe('Test StaticIpServer', () => {
   let stack: Stack;
@@ -93,8 +93,45 @@ describe('Test StaticIpServer', () => {
       Description: 'Created by AWS-RFDK StaticPrivateIpServer to process instance launch lifecycle events in stack \'StackName\'. This lambda attaches an ENI to newly launched instances.',
     }));
 
+    expectCDK(stack).to(haveResourceLike('AWS::KMS::Key', {
+      UpdateReplacePolicy: 'Delete',
+      DeletionPolicy: 'Delete',
+    }, ResourcePart.CompleteDefinition));
+    expectCDK(stack).to(haveResourceLike('AWS::KMS::Key', {
+      KeyPolicy: {
+        Statement: [
+          {
+            Action: 'kms:*',
+            Effect: 'Allow',
+            Principal: {
+              AWS: {
+                'Fn::Join': [
+                  '',
+                  [
+                    'arn:',
+                    {
+                      Ref: 'AWS::Partition',
+                    },
+                    ':iam::',
+                    {
+                      Ref: 'AWS::AccountId',
+                    },
+                    ':root',
+                  ],
+                ],
+              },
+            },
+            Resource: '*',
+          },
+        ],
+      },
+      EnableKeyRotation: true,
+    }));
     cdkExpect(stack).to(haveResourceLike('AWS::SNS::Topic', {
       DisplayName: 'Created by AWS-RFDK StaticPrivateIpServer for instance-launch notifications for stack \'StackName\'',
+      KmsMasterKeyId: {
+        Ref: 'SNSEncryptionKey255e9e52ad034ddf8ff8274bc10d63d1EDF79FFE',
+      },
     }));
 
     cdkExpect(stack).to(haveResourceLike('AWS::SNS::Subscription', {
@@ -171,6 +208,32 @@ describe('Test StaticIpServer', () => {
         ],
       },
     }));
+    cdkExpect(stack).to(countResourcesLike('AWS::IAM::Policy', 1, {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: [
+              'kms:Decrypt',
+              'kms:GenerateDataKey',
+            ],
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'SNSEncryptionKey255e9e52ad034ddf8ff8274bc10d63d1EDF79FFE',
+                'Arn',
+              ],
+            },
+          },
+          {
+            Action: 'sns:Publish',
+            Effect: 'Allow',
+            Resource: {
+              Ref: 'AttachEniNotificationTopicc8b1e9a6783c4954b191204dd5e3b9e0F5D22665',
+            },
+          },
+        ],
+      },
+    }));
   });
 
   test('creates singleton resources', () => {