From 72fefbea1508e9529fac27f2e3133704fea3a0b8 Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 3 Feb 2024 17:21:54 -0700 Subject: [PATCH] feat!(app-staging-synthesizer-alpha): use S3-Managed encryption by default --- .../app-staging-synthesizer-alpha/README.md | 6 +- .../lib/default-staging-stack.ts | 17 +- .../test/app-staging-synthesizer.test.ts | 10 +- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 +-------- .../cdk.out | 2 +- .../integ.json | 2 +- ...efaultTestDeployAssert44C8D370.assets.json | 2 +- .../manifest.json | 40 +-- .../synthesize-default-resources.assets.json | 2 +- .../tree.json | 145 +---------- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 ++++++++- .../cdk.out | 0 .../integ.json | 0 ...efaultTestDeployAssert44C8D370.assets.json | 0 ...aultTestDeployAssert44C8D370.template.json | 0 .../manifest.json | 12 + .../synthesize-default-encryption.assets.json | 0 ...ynthesize-default-encryption.template.json | 0 .../tree.json | 227 ++++++++++++++---- ...ption.ts => integ.synth-kms-encryption.ts} | 6 +- 20 files changed, 331 insertions(+), 358 deletions(-) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json (84%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/cdk.out (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integ.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/manifest.json (94%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/synthesize-default-encryption.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/synthesize-default-encryption.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/tree.json (70%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.ts => integ.synth-kms-encryption.ts} (78%) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index 8664303213f26..20ee1d39c2e34 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -267,8 +267,8 @@ const app = new App({ ### Staging Bucket Encryption -By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use -SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`. +By default, the staging resources will be stored in an S3 Bucket with S3 Managed encryption. To use +SSE-KMS, set `stagingBucketEncryption` to `BucketEncryption.KMS`. ```ts import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; @@ -276,7 +276,7 @@ import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); ``` diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index 70d5cfd65fbe3..62120c3bf5c1d 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -64,7 +64,7 @@ export interface DefaultStagingStackOptions { /** * Encryption type for staging bucket * - * @default - s3.BucketEncryption.KMS + * @default - s3.BucketEncryption.S3_MANAGED */ readonly stagingBucketEncryption?: s3.BucketEncryption; @@ -226,7 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { private readonly appId: string; private readonly stagingBucketName?: string; - private stagingBucketEncryption?: s3.BucketEncryption; + private stagingBucketEncryption: s3.BucketEncryption; /** * File publish role ARN in asset manifest format @@ -267,7 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.deployRoleArn = props.deployRoleArn; this.stagingBucketName = props.stagingBucketName; - this.stagingBucketEncryption = props.stagingBucketEncryption; + this.stagingBucketEncryption = props.stagingBucketEncryption ?? s3.BucketEncryption.S3_MANAGED; const specializer = new StringSpecializer(this, props.qualifier); this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer); @@ -368,15 +368,6 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.ensureFileRole(); - let key = undefined; - if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) { - if (this.stagingBucketEncryption === undefined) { - // default is KMS as an AWS best practice, and for backwards compatibility - this.stagingBucketEncryption = s3.BucketEncryption.KMS; - } - key = this.createBucketKey(); - } - // Create the bucket once the dependencies have been created const bucket = new s3.Bucket(this, bucketId, { bucketName: stagingBucketName, @@ -387,7 +378,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { removalPolicy: RemovalPolicy.RETAIN, }), encryption: this.stagingBucketEncryption, - encryptionKey: key, + encryptionKey: this.stagingBucketEncryption === s3.BucketEncryption.KMS ? this.createBucketKey() : undefined, // Many AWS account safety checkers will complain when buckets aren't versioned versioned: true, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts index 9b0b502a967b1..c15f3faff972e 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts @@ -277,12 +277,12 @@ describe(AppStagingSynthesizer, () => { Status: 'Enabled', }]), }, - // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility + // When stagingBucketEncryption is not specified, it should be S3_MANAGED BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'aws:kms', + SSEAlgorithm: 'AES256', }, }, ], @@ -290,13 +290,13 @@ describe(AppStagingSynthesizer, () => { }); }); - test('staging bucket with SSE-S3 encryption', () => { + test('staging bucket with SSE-KMS encryption', () => { // GIVEN app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, deployTimeFileAssetLifetime: Duration.days(1), - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); stack = new Stack(app, 'Stack', { @@ -318,7 +318,7 @@ describe(AppStagingSynthesizer, () => { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'AES256', + SSEAlgorithm: 'aws:kms', }, }, ], diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index 4e2a7ddfdf99c..952f7fb10adcb 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,22 +85,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -113,91 +97,6 @@ ] } }, - "BucketKey7092080A": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "BucketKeyAlias69A0886F": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/cdk-default-resourcesmax-staging", - "TargetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -205,13 +104,7 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" + "SSEAlgorithm": "AES256" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out index c5cb2e5de6344..1f0068d32659a 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"35.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json index 4000c99e6da28..a6814ac222f55 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "testCases": { "integ-tests/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json index 5c520eaba3f94..50121024f8d99 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json index 04aceb69e51d6..656a674bb8c37 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "artifacts": { "synthesize-default-resources.assets": { "type": "cdk:asset-manifest", @@ -95,18 +95,6 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKey7092080A" - } - ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKeyAlias69A0886F" - } - ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", @@ -161,37 +149,19 @@ "data": "defaultresourcesmaxecrasset2904B88A7" } ], - "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5": [ - { - "type": "aws:cdk:logicalId", - "data": "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030": [ + "BucketKey7092080A": [ { "type": "aws:cdk:logicalId", - "data": "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030", + "data": "BucketKey7092080A", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] } ], - "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1": [ + "BucketKeyAlias69A0886F": [ { "type": "aws:cdk:logicalId", - "data": "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1", + "data": "BucketKeyAlias69A0886F", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json index 07e6912263a9c..9d7431524f2cc 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { "68539effc3f7ad46fff9765606c2a01b7f7965833643ab37e62799f19a37f650": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json index 4aee681c070e0..d16285819999c 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json @@ -493,22 +493,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -538,125 +522,6 @@ "version": "0.0.0" } }, - "BucketKey": { - "id": "BucketKey", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - }, - "Alias": { - "id": "Alias", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/cdk-default-resourcesmax-staging", - "targetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, "CdkStagingBucket": { "id": "CdkStagingBucket", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket", @@ -671,13 +536,7 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } + "sseAlgorithm": "AES256" } } ] @@ -933,7 +792,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProvider", + "fqn": "aws-cdk-lib.CustomResourceProviderBase", "version": "0.0.0" } }, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json similarity index 84% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index 94b5eb207a2e0..c8510eb0b2281 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,6 +85,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -97,6 +113,91 @@ ] } }, + "BucketKey7092080A": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketKeyAlias69A0886F": { + "Type": "AWS::KMS::Alias", + "Properties": { + "AliasName": "alias/cdk-default-resourcesmax-staging", + "TargetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -104,7 +205,13 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256" + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json similarity index 94% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json index 675984ebcad5b..62df22203480a 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json @@ -57,6 +57,18 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKey7092080A" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKeyAlias69A0886F" + } + ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json similarity index 70% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json index 871e7830afede..4c45484e156df 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json @@ -12,14 +12,14 @@ "id": "UsingAppStagingSynthesizer--synthesize-default-encryption", "path": "synthesize-default-encryption/UsingAppStagingSynthesizer--synthesize-default-encryption", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "@aws-cdk/app-staging-synthesizer-alpha.UsingAppStagingSynthesizer", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "StagingStack-default-resourcesmax-ACCOUNT-REGION": { @@ -34,8 +34,8 @@ "id": "ImportCdkFileRole", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/ImportCdkFileRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -85,8 +85,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -137,6 +137,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -150,20 +166,139 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "BucketKey": { + "id": "BucketKey", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + }, + "Alias": { + "id": "Alias", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Alias", + "aws:cdk:cloudformation:props": { + "aliasName": "alias/cdk-default-resourcesmax-staging", + "targetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnAlias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Alias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" } }, "CdkStagingBucket": { @@ -180,7 +315,13 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "AES256" + "sseAlgorithm": "aws:kms", + "kmsMasterKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } } ] @@ -221,8 +362,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" } }, "Policy": { @@ -374,14 +515,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", + "version": "0.0.0" } }, "AutoDeleteObjectsCustomResource": { @@ -392,20 +533,20 @@ "id": "Default", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource/Default", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CustomResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" } }, "Custom::S3AutoDeleteObjectsCustomResourceProvider": { @@ -416,28 +557,28 @@ "id": "Role", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } }, "Handler": { "id": "Handler", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CustomResourceProviderBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "@aws-cdk/app-staging-synthesizer-alpha.DefaultStagingStack", + "version": "0.0.0" } }, "integ-tests": { @@ -464,22 +605,22 @@ "id": "BootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } } }, @@ -504,8 +645,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts similarity index 78% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts index b094351f94938..f73aae359ac95 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts @@ -10,10 +10,10 @@ const app = new App({ }, }); -const stackDefaultEncryption = new Stack(app, 'synthesize-default-encryption', { +const stackKmsEncryption = new Stack(app, 'synthesize-default-encryption', { synthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID_MAX, // this has implications on the overall template size - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); @@ -23,7 +23,7 @@ if (!defaultStagingStack) { } new integ.IntegTest(app, 'integ-tests', { - testCases: [defaultStagingStack, stackDefaultEncryption], + testCases: [defaultStagingStack, stackKmsEncryption], }); app.synth();