CDK: EventBridge Rule with an SqsQueue, KMS_MANAGED encryption target doesn't error
cmorikuni-aon opened this issue · comments
Describe the bug
Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
CDK synth should error out and force the developer to configure SQS using a customer master key
Expected Behavior
For CDK synth to error out
Current Behavior
Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.
Reproduction Steps
- An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.
aws_events_targets
callsgrantSendMessages
on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)grantSendMessages
only configuresgrantEncryptDecrypt
if the queue has a CMK and aencryptionMasterKey
property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))- In the case of a KMS_MANAGED queue,
encryptionMasterKey
is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.135
Framework Version
No response
Node.js Version
v16.17.1
OS
Macos 14.5
Language
Python
Language Version
No response
Other information
No response
@cmorikuni-aon Good afternoon. Would it be possible for you to share minimal self contained code to help us quickly troubleshoot the issue?
Thanks,
Ashish
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.