Giters

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code

Home Page:https://aws.amazon.com/cdk

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CDK: EventBridge Rule with an SqsQueue, KMS_MANAGED encryption target doesn't error

cmorikuni-aon opened this issue · comments

commented

Describe the bug

Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

CDK synth should error out and force the developer to configure SQS using a customer master key

Expected Behavior

For CDK synth to error out

Current Behavior

Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.

Reproduction Steps

  1. An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.
  2. aws_events_targets calls grantSendMessages on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)
  3. grantSendMessages only configures grantEncryptDecrypt if the queue has a CMK and a encryptionMasterKey property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))
  4. In the case of a KMS_MANAGED queue, encryptionMasterKey is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.135

Framework Version

No response

Node.js Version

v16.17.1

OS

Macos 14.5

Language

Python

Language Version

No response

Other information

No response

commented

@cmorikuni-aon Good afternoon. Would it be possible for you to share minimal self contained code to help us quickly troubleshoot the issue?

Thanks,
Ashish

commented

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

commented

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.