fix: Add SNS encryption for FhirWorksAlarm #462
Conversation
nguyen102
requested review from
carvantes,
rsmayda,
Bingjiling and
ssvegaraju
|
@Zambonilli , As best practice SNS topics should be encrypted at rest with a KMS key. I wanted to confirm that you're ok with this change, and this wouldn't break anything on your side. |
| AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' | ||
| Action: 'kms:*' | ||
| Resource: '*' | ||
| - Sid: 'Allow Cloudwatch to use this Key Policy' |
There was a problem hiding this comment.
we had to have sns.amazonaws.com service principal w/kms:GenerateDataKey* and kms:Decrypt permissions in this policy as well. iirc, that was what allowed sns to encrypt and decrypt when sending to the subscribers.
|
ugh, thanks. I translated our terraform definition for the sns topic here incorrectly and forgot the kms key. This matches what we have in terraform minus the comment about adding sns.amazonaws.com service principal to the key's policy. |
|
@Zambonilli thanks for double checking. Just to confirm, does this mean the PR as is matches what is currently in your terraform definition? |
|
This PR is close to matching our terraform. It's just missing the following Sid in the KMS key's inline policy: |
|
Good catch, after further examining the JSON at this blog post, I see they include an SID for SNS as well. I've updated the PR. |
nguyen102
changed the title
Issue #, if available:
Description of changes:
Add SNS encryption for FhirWorksAlarm. As best practices Amazon recommends encrypting SNS topics.
References
https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/
https://stackoverflow.com/a/58849754
https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger/
Checklist:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.