Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS SNS CDK: Allow referencing managed KMS keys #31012

Open
2 tasks
ll-michael opened this issue Aug 2, 2024 · 4 comments
Open
2 tasks

AWS SNS CDK: Allow referencing managed KMS keys #31012

ll-michael opened this issue Aug 2, 2024 · 4 comments
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@ll-michael
Copy link

ll-michael commented Aug 2, 2024
edited
Loading

Describe the feature

The CDK does not support referencing AWS managed KMS keys associated with SNS topics that have EnforceSSL set to true. This diverges from CDK behavior with S3, which allows referencing encryption keys that are associated with buckets with KMS encryption enabled.

Use Case

I would like to reference AWS managed SNS keys associated with SNS topics in the CDK. This allows for other CDK resources, such as iam policies, to reference the KMS key.

Proposed Solution

Add a property to CDK SNS topics to return the AWS managed KMS key.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.150.0

Environment details (OS name and version, etc.)

NA
@ll-michael ll-michael added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 2, 2024
@github-actions github-actions bot added the @aws-cdk/aws-sns Related to Amazon Simple Notification Service label Aug 2, 2024
This was referenced Aug 5, 2024
Closed
Closed
@ashishdhingra ashishdhingra self-assigned this Aug 5, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 5, 2024
@ashishdhingra
Copy link
Contributor

@ll-michael Good morning. Thanks for opening the issue. If you refer construct props for Topic, it does support properties masterKey properties which maps to AWS::SNS::Topic KmsMasterKeyId property. Please check if this is the property you are looking for.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Aug 5, 2024
@ll-michael
Copy link
Author

Hello Anish,

While the S3 and SNS CDK both support passing iam keys to construct an item, the SNS CDK does not support referencing an encryption/master key as part of its properties after creation.

This behavior diverges from the S3 CDK, which supports referencing an S3 encryption key property.

Is there an SNS CDK property that allows referencing iam keys after creation?

Best,
Michael

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 5, 2024
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Aug 6, 2024
edited
Loading

The feature should perhaps expose a public readonly property named masterKey in Topic class.

Normally the L2 construct public properties are exposed based on the underlying return values specified in CloudFormation resource specification.

  • For AWS::SNS::Topic, KmsMasterKeyId is not one of the return values.
  • However, for AWS::S3::Bucket also doesn't document encryptionKey as one of the return values. This is possibly because it is more opinionated.

This feature needs to be discussed with the team.

@ll-michael Could you please elaborate your case for need of such property when the value for masterKey would have been defined in constructor properties from some configuration and already accessible?

@ashishdhingra ashishdhingra added the effort/small Small work item – less than a day of effort label Aug 6, 2024
@ashishdhingra ashishdhingra removed their assignment Aug 6, 2024
@ll-michael
Copy link
Author

The AWS CDK is an approximate superset of CloudFormation. While I am not familiar with the inner workings of the AWS CDK, I imagine it makes API calls to determine information, such as encryption keys, not included in the CloudFormation response.

Got it. The feature should perhaps expose a public readonly property named masterKey in Topic class.

Yes, including a master key property in the CDK SNS construct is recommended.

@github-actions github-actions bot mentioned this issue Sep 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashishdhingra @ll-michael