Skip to content

Commit

Permalink
fix(s3): buckets with SSE-KMS silently fail to receive logs (aws#23385)
Browse files Browse the repository at this point in the history
AWS S3 Server Access Logging does not support logging to buckets that
use SSE-KMS, only to buckets without default encryption or to buckets
that use SSE-S3. At least in some cases, this misconfiguration can be
caught within the CDK (when logging to the same bucket or when the
target bucket is using a KMS CMK).

This will still fail to catch scenarios where the target bucket is using
SSE-KMS using a KMS-managed key because the `encryptionKey` property is
not set on the Bucket in that scenario.

This may be a breaking change for some users; what is currently a mostly
silent misconfiguration will become an error when synthesizing.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
laurelmay authored and Brennan Ho committed Jan 20, 2023
1 parent 67fdf75 commit 779d861
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
11 changes: 11 additions & 0 deletions packages/@aws-cdk/aws-s3/lib/bucket.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2044,6 +2044,17 @@ export class Bucket extends BucketBase {
if (!props.serverAccessLogsBucket && !props.serverAccessLogsPrefix) {
return undefined;
}
if (
// The current bucket is being used and is configured for default SSE-KMS
!props.serverAccessLogsBucket && (
props.encryptionKey ||
props.encryption === BucketEncryption.KMS ||
props.encryption === BucketEncryption.KMS_MANAGED) ||
// Another bucket is being used that is configured for default SSE-KMS
props.serverAccessLogsBucket?.encryptionKey
) {
throw new Error('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
}

return {
destinationBucketName: props.serverAccessLogsBucket?.bucketName,
Expand Down
22 changes: 22 additions & 0 deletions packages/@aws-cdk/aws-s3/test/bucket.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,28 @@ describe('bucket', () => {

});

test('throws error if using KMS-Managed key and server access logging to self', () => {
const stack = new cdk.Stack();
expect(() => {
new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS_MANAGED, serverAccessLogsPrefix: 'test' });
}).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
});
test('throws error if using KMS CMK and server access logging to self', () => {
const stack = new cdk.Stack();
const key = new kms.Key(stack, 'TestKey');
expect(() => {
new s3.Bucket(stack, 'MyBucket', { encryptionKey: key, serverAccessLogsPrefix: 'test' });
}).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
});
test('throws error if enabling server access logging to bucket with SSE-KMS', () => {
const stack = new cdk.Stack();
const key = new kms.Key(stack, 'TestKey');
const targetBucket = new s3.Bucket(stack, 'TargetBucket', { encryptionKey: key } );
expect(() => {
new s3.Bucket(stack, 'MyBucket', { serverAccessLogsBucket: targetBucket });
}).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
});

test('bucket with versioning turned on', () => {
const stack = new cdk.Stack();
new s3.Bucket(stack, 'MyBucket', {
Expand Down

0 comments on commit 779d861

Please sign in to comment.