From 630110f4cd5bed3641c88b34acb578d72d50c897 Mon Sep 17 00:00:00 2001 From: Gavin Zhang Date: Fri, 1 Mar 2024 02:20:02 +0800 Subject: [PATCH 1/5] fix(kms): kms key grant methods misidentify region when enclosing stack is different region --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 6 ++-- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 36 +++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 1f2c13e0615c7..a941790ace21b 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -261,8 +261,9 @@ abstract class KeyBase extends Resource implements IKey { return false; } const bucketStack = Stack.of(this); + const region = this.env.region ?? bucketStack.region; const identityStack = Stack.of(grantee.grantPrincipal); - return bucketStack.region !== identityStack.region; + return region !== identityStack.region; } private isGranteeFromAnotherAccount(grantee: iam.IGrantable): boolean { @@ -270,8 +271,9 @@ abstract class KeyBase extends Resource implements IKey { return false; } const bucketStack = Stack.of(this); + const account = this.env.account ?? bucketStack.account; const identityStack = Stack.of(grantee.grantPrincipal); - return bucketStack.account !== identityStack.account; + return account !== identityStack.account; } } diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 9c0ce901dd910..f46681ef3683d 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -81,6 +81,42 @@ describe('key policies', () => { }); }); + test('cross region key with iam role grant', () => { + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test-stack', { env: { account: '123456789012', region: 'us-west-2' } }); + const key = kms.Key.fromKeyArn( + stack, + 'Key', + 'arn:aws:kms:eu-north-1:123412341234:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', + ); + + const roleStack = new cdk.Stack(app, 'RoleStack', { + env: { account: '123412341234', region: 'eu-north-1' }, + }); + const role = new iam.Role(roleStack, 'Role', { + assumedBy: new iam.AccountPrincipal('123456789012'), + }); + key.grantEncryptDecrypt(role); + + Template.fromStack(roleStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: [ + 'kms:Decrypt', + 'kms:Encrypt', + 'kms:GenerateDataKey*', + 'kms:ReEncrypt*', + ], + Effect: 'Allow', + Resource: 'arn:aws:kms:eu-north-1:123412341234:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', + }, + ], + Version: '2012-10-17', + }, + }); + }); + test('can append to the default key policy', () => { const stack = new cdk.Stack(); const statement = new iam.PolicyStatement({ resources: ['*'], actions: ['kms:Put*'] }); From 29edc2bdfe516a148e3962266b112209a5949229 Mon Sep 17 00:00:00 2001 From: Gavin Zhang Date: Fri, 1 Mar 2024 03:03:28 +0800 Subject: [PATCH 2/5] Update tests --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 10 ++++++---- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 10 ++-------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index a941790ace21b..9e6d18656eed0 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -261,9 +261,10 @@ abstract class KeyBase extends Resource implements IKey { return false; } const bucketStack = Stack.of(this); - const region = this.env.region ?? bucketStack.region; const identityStack = Stack.of(grantee.grantPrincipal); - return region !== identityStack.region; + // if two compared stacks have the same region, this should return 'false' since it's from the + // same region; if two stacks have different region, then compare env.region + return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region; } private isGranteeFromAnotherAccount(grantee: iam.IGrantable): boolean { @@ -271,9 +272,10 @@ abstract class KeyBase extends Resource implements IKey { return false; } const bucketStack = Stack.of(this); - const account = this.env.account ?? bucketStack.account; const identityStack = Stack.of(grantee.grantPrincipal); - return account !== identityStack.account; + // if two compared stacks have the same region, this should return 'false' since it's from the + // same region; if two stacks have different region, then compare env.account + return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account; } } diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index f46681ef3683d..261ebf7e33e58 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -83,7 +83,7 @@ describe('key policies', () => { test('cross region key with iam role grant', () => { const app = new cdk.App(); - const stack = new cdk.Stack(app, 'test-stack', { env: { account: '123456789012', region: 'us-west-2' } }); + const stack = new cdk.Stack(app, 'test-stack', { env: { account: '123412341234', region: 'us-west-2' } }); const key = kms.Key.fromKeyArn( stack, 'Key', @@ -94,7 +94,7 @@ describe('key policies', () => { env: { account: '123412341234', region: 'eu-north-1' }, }); const role = new iam.Role(roleStack, 'Role', { - assumedBy: new iam.AccountPrincipal('123456789012'), + assumedBy: new iam.AccountPrincipal('123412341234'), }); key.grantEncryptDecrypt(role); @@ -102,12 +102,6 @@ describe('key policies', () => { PolicyDocument: { Statement: [ { - Action: [ - 'kms:Decrypt', - 'kms:Encrypt', - 'kms:GenerateDataKey*', - 'kms:ReEncrypt*', - ], Effect: 'Allow', Resource: 'arn:aws:kms:eu-north-1:123412341234:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', }, From efa6690bdd994431c58d38e1fdbf2e46902caffe Mon Sep 17 00:00:00 2001 From: Gavin Zhang Date: Fri, 1 Mar 2024 03:11:30 +0800 Subject: [PATCH 3/5] update secret in test --- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 261ebf7e33e58..0bcf5d4b243dd 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -83,18 +83,18 @@ describe('key policies', () => { test('cross region key with iam role grant', () => { const app = new cdk.App(); - const stack = new cdk.Stack(app, 'test-stack', { env: { account: '123412341234', region: 'us-west-2' } }); + const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } }); const key = kms.Key.fromKeyArn( stack, 'Key', - 'arn:aws:kms:eu-north-1:123412341234:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', + 'arn:aws:kms:eu-north-1:000000000000:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', ); const roleStack = new cdk.Stack(app, 'RoleStack', { - env: { account: '123412341234', region: 'eu-north-1' }, + env: { account: '000000000000', region: 'eu-north-1' }, }); const role = new iam.Role(roleStack, 'Role', { - assumedBy: new iam.AccountPrincipal('123412341234'), + assumedBy: new iam.AccountPrincipal('000000000000'), }); key.grantEncryptDecrypt(role); @@ -103,7 +103,7 @@ describe('key policies', () => { Statement: [ { Effect: 'Allow', - Resource: 'arn:aws:kms:eu-north-1:123412341234:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', + Resource: 'arn:aws:kms:eu-north-1:000000000000:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', }, ], Version: '2012-10-17', From 9c79ad70126c76c0d231fa06fd5f5eef429f1dd1 Mon Sep 17 00:00:00 2001 From: Gavin Zhang Date: Thu, 14 Mar 2024 14:59:31 -0400 Subject: [PATCH 4/5] Add feature flags --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 20 +++++++---- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 33 ++++++++++++++++++- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 18 +++++++++- packages/aws-cdk-lib/cx-api/README.md | 17 ++++++++++ packages/aws-cdk-lib/cx-api/lib/features.ts | 13 ++++++++ 5 files changed, 93 insertions(+), 8 deletions(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 9e6d18656eed0..f29950b6dc763 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -262,9 +262,13 @@ abstract class KeyBase extends Resource implements IKey { } const bucketStack = Stack.of(this); const identityStack = Stack.of(grantee.grantPrincipal); - // if two compared stacks have the same region, this should return 'false' since it's from the - // same region; if two stacks have different region, then compare env.region - return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region; + + if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) { + // if two compared stacks have the same region, this should return 'false' since it's from the + // same region; if two stacks have different region, then compare env.region + return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region; + } + return bucketStack.region !== identityStack.region; } private isGranteeFromAnotherAccount(grantee: iam.IGrantable): boolean { @@ -273,9 +277,13 @@ abstract class KeyBase extends Resource implements IKey { } const bucketStack = Stack.of(this); const identityStack = Stack.of(grantee.grantPrincipal); - // if two compared stacks have the same region, this should return 'false' since it's from the - // same region; if two stacks have different region, then compare env.account - return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account; + + if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) { + // if two compared stacks have the same region, this should return 'false' since it's from the + // same region; if two stacks have different region, then compare env.account + return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account; + } + return bucketStack.account !== identityStack.account; } } diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 0bcf5d4b243dd..29a9540a90106 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -2,6 +2,7 @@ import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; import { Match, Template } from '../../assertions'; import * as iam from '../../aws-iam'; import * as cdk from '../../core'; +import * as cxapi from '../../cx-api'; import * as kms from '../lib'; import { KeySpec, KeyUsage } from '../lib'; @@ -82,7 +83,7 @@ describe('key policies', () => { }); test('cross region key with iam role grant', () => { - const app = new cdk.App(); + const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: true } }); const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } }); const key = kms.Key.fromKeyArn( stack, @@ -111,6 +112,36 @@ describe('key policies', () => { }); }); + test('cross region key with iam role grant when feature flag is disabled', () => { + const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: false } }); + const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } }); + const key = kms.Key.fromKeyArn( + stack, + 'Key', + 'arn:aws:kms:eu-north-1:000000000000:key/e3ab59e5-3dc3-4bc4-9c3f-c790231d2287', + ); + + const roleStack = new cdk.Stack(app, 'RoleStack', { + env: { account: '000000000000', region: 'eu-north-1' }, + }); + const role = new iam.Role(roleStack, 'Role', { + assumedBy: new iam.AccountPrincipal('000000000000'), + }); + key.grantEncryptDecrypt(role); + + Template.fromStack(roleStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + }); + }); + test('can append to the default key policy', () => { const stack = new cdk.Stack(); const statement = new iam.PolicyStatement({ resources: ['*'], actions: ['kms:Put*'] }); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 86bb8373fa803..c18b23cdc2f42 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -66,6 +66,7 @@ Flags come in three types: | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | | [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) | | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | V2NEXT | (default) | +| [@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy](#aws-cdkaws-kmscrossaccountregionkmskeypolicy) | When enabled, KMS key grant should create policy with only one resource. | V2NEXT | (fix) | @@ -122,7 +123,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true, "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true, "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true, - "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true, + "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true } } ``` @@ -1249,4 +1251,18 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. +### @aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy + +*When enabled, KMS key grant should create policy with only one resource.* (fix) + +When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this +granting KMS key instead of a * resource property. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 394a47009b24d..c1aa5bc6c360b 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -292,3 +292,20 @@ _cdk.json_ } } ``` + +* `@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy` + +Enables KMS key grant to correctly set 'Resoruce' property of IAM policy to the key itself. + +When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this +granting KMS key instead of a * resource property. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 28b15de29a57c..e22f65093d82d 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -100,6 +100,7 @@ export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepi export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction'; export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse'; export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; +export const KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY = '@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1021,6 +1022,18 @@ export const FLAGS: Record = { recommendedValue: true, compatibilityWithOldBehaviorMd: 'Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior.', }, + + ////////////////////////////////////////////////////////////////////// + [KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: { + type: FlagType.BugFix, + summary: 'When enabled, KMS key grant should create policy with only one resource.', + detailsMd: ` + When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this + granting KMS key instead of a * resource property. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2'; From 0cb1ba98d0fdff1a0aee0ac84fc31e136e4ed042 Mon Sep 17 00:00:00 2001 From: Gavin Zhang Date: Thu, 14 Mar 2024 16:49:37 -0400 Subject: [PATCH 5/5] Update feature flag naming --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 4 ++-- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 4 ++-- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 12 ++++++------ packages/aws-cdk-lib/cx-api/README.md | 10 +++++----- packages/aws-cdk-lib/cx-api/lib/features.ts | 10 +++++----- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index f29950b6dc763..ba5d33c2988e9 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -263,7 +263,7 @@ abstract class KeyBase extends Resource implements IKey { const bucketStack = Stack.of(this); const identityStack = Stack.of(grantee.grantPrincipal); - if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) { + if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) { // if two compared stacks have the same region, this should return 'false' since it's from the // same region; if two stacks have different region, then compare env.region return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region; @@ -278,7 +278,7 @@ abstract class KeyBase extends Resource implements IKey { const bucketStack = Stack.of(this); const identityStack = Stack.of(grantee.grantPrincipal); - if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) { + if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) { // if two compared stacks have the same region, this should return 'false' since it's from the // same region; if two stacks have different region, then compare env.account return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account; diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 29a9540a90106..3493c31dff3ac 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -83,7 +83,7 @@ describe('key policies', () => { }); test('cross region key with iam role grant', () => { - const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: true } }); + const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: true } }); const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } }); const key = kms.Key.fromKeyArn( stack, @@ -113,7 +113,7 @@ describe('key policies', () => { }); test('cross region key with iam role grant when feature flag is disabled', () => { - const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: false } }); + const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: false } }); const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } }); const key = kms.Key.fromKeyArn( stack, diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index c18b23cdc2f42..d73e3b1657e52 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -66,7 +66,7 @@ Flags come in three types: | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | | [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) | | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | V2NEXT | (default) | -| [@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy](#aws-cdkaws-kmscrossaccountregionkmskeypolicy) | When enabled, KMS key grant should create policy with only one resource. | V2NEXT | (fix) | +| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | V2NEXT | (fix) | @@ -124,7 +124,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true, "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true, "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true, - "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true } } ``` @@ -1251,12 +1251,12 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. -### @aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy +### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope -*When enabled, KMS key grant should create policy with only one resource.* (fix) +*When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) -When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this -granting KMS key instead of a * resource property. +When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from +'*' to this specific granting KMS key. | Since | Default | Recommended | diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index c1aa5bc6c360b..cdbd86f3ae08e 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -293,19 +293,19 @@ _cdk.json_ } ``` -* `@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy` +* `@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope` -Enables KMS key grant to correctly set 'Resoruce' property of IAM policy to the key itself. +Reduce resource scope of the IAM Policy created from KMS key grant to granting key only. -When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this -granting KMS key instead of a * resource property. +When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from +'*' to this specific granting KMS key. _cdk.json_ ```json { "context": { - "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true } } ``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index e22f65093d82d..7a241858c5f82 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -100,7 +100,7 @@ export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepi export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction'; export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse'; export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; -export const KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY = '@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy'; +export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1024,12 +1024,12 @@ export const FLAGS: Record = { }, ////////////////////////////////////////////////////////////////////// - [KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: { + [KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: { type: FlagType.BugFix, - summary: 'When enabled, KMS key grant should create policy with only one resource.', + summary: 'When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.', detailsMd: ` - When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this - granting KMS key instead of a * resource property. + When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from + '*' to this specific granting KMS key. `, introducedIn: { v2: 'V2NEXT' }, recommendedValue: true,