fix(sns): for SSE topics, add KMS permissions in grantPublish #32794
Conversation
github-actions
bot
added
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
github-actions
bot
added
bug
lightningboltemoji
force-pushed
the
sns-kms
branch
4 times, most recently
from
a45469a to
24f6412
Compare
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
| grantee, | ||
| actions: ['sns:Publish'], | ||
| resourceArns: [this.topicArn], | ||
| resource: this, | ||
| }); | ||
| if (this.masterKey) { | ||
| this.masterKey.grantEncryptDecrypt(grantee); |
There was a problem hiding this comment.
| this.masterKey.grantEncryptDecrypt(grantee); | |
| this.masterKey.grant(grantee, 'kms:Decrypt', 'kms:GenerateDataKey*') |
We should be fine without kms:Encrypt and kms:ReEncrypt.
There was a problem hiding this comment.
Sounds good, thanks!
| importedTopic2.grantPublish(publishRole); | ||
|
|
||
| // Can import encrypted topic by attributes | ||
| const topic3 = new Topic(this, 'MyTopic3', { |
There was a problem hiding this comment.
Couldn't we import topic2 instead?
There was a problem hiding this comment.
Sorry, not sure I understand the suggestion, do you mean topic? I can try to provide some of my thinking here:
- The existing test is showing a non-functional example.
importedTopicisn't aware there's a KMS key sograntPublishdoesn't work. - I unencrypted
topic2, so that importing withfromTopicArnand callinggrantPublishdoes work. - That left me wanting to import an encrypted topic, so I created
topic3and usedfromTopicAttributes, testing the same basic flow.
topic is encrypted and could be used for importing... it's just created up higher, and it felt like we'd moved on from it flow-wise.
I'm not totally sure what the norm is here, so your guidance is appreciated!
There was a problem hiding this comment.
Thanks for clarifying 👍 Your implementation makes sense as is
| @@ -25,6 +26,13 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget | |||
| */ | |||
| readonly topicName: string; | |||
|
|
|||
| /** | |||
| * A KMS Key, either managed by this CDK app, or imported. | |||
| * | |||
There was a problem hiding this comment.
| * | |
| * | |
| * This property applies only to server-side encryption. | |
| * | |
| * @see https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html |
lightningboltemoji
force-pushed
the
sns-kms
branch
from
24f6412 to
e0ee009
Compare
lightningboltemoji
force-pushed
the
sns-kms
branch
from
e0ee009 to
469a884
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
removed
the
pr/needs-community-review
| importedTopic2.grantPublish(publishRole); | ||
|
|
||
| // Can import encrypted topic by attributes | ||
| const topic3 = new Topic(this, 'MyTopic3', { |
There was a problem hiding this comment.
Thanks for clarifying 👍 Your implementation makes sense as is
aws-cdk-automation
added
the
pr/needs-maintainer-review
moelasmar
added
the
needs-security-review
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32794 +/- ##
=======================================
Coverage 81.38% 81.38%
=======================================
Files 222 222
Lines 13695 13695
Branches 2412 2412
=======================================
Hits 11145 11145
Misses 2271 2271
Partials 279 279
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Issue # (if applicable)
Fixes #18387, #31012, #24848
Pre-requisite for #16271, #29511
Reason for this change
For SNS topics with SSE enabled, the grants added by
grantPublishare insufficient, since they don't include any KMS actions.The SNS docs discuss what's required to publish to an encrypted topic here (
sns:Publish,kms:Decrypt,kms:GenerateKeyData*).Description of changes
I used the SQS queue implementation as a reference, since it's configured similarly, etc.
Topic#grantPublishgrantkms:Decrypt+kms:GenerateKeyData*grantEncryptDecrypt(but I have no preference -- just let me know what's best)masterKeyas a property ofITopicso callers can access it after creationDescribe any new or updated permissions being added
(Discussed above)
Description of how you validated changes
yarn integ test/aws-sns/test/integ.sns.js --update-on-failedChecklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license