diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.assets.json new file mode 100644 index 0000000000000..ea7093d4eef0c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "603e01b8a28b3701dc4a16dcc90ff1b0dd7de76f7c1e20e07b3458a72955b7b0": { + "source": { + "path": "eventbue-customer-managed-key.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "603e01b8a28b3701dc4a16dcc90ff1b0dd7de76f7c1e20e07b3458a72955b7b0.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.template.json new file mode 100644 index 0000000000000..ab122e99ffc58 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbue-customer-managed-key.template.json @@ -0,0 +1,144 @@ +{ + "Resources": { + "KmsKey46693ADD": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": { + "Ref": "AWS::AccountId" + }, + "aws:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/eventbuecustomermanagedkeyBus178EB991" + ] + ] + }, + "kms:EncryptionContext:aws:events:event-bus:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/eventbuecustomermanagedkeyBus178EB991" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "BusEA82B648": { + "Type": "AWS::Events::EventBus", + "Properties": { + "KmsKeyIdentifier": { + "Fn::GetAtt": [ + "KmsKey46693ADD", + "Arn" + ] + }, + "Name": "eventbuecustomermanagedkeyBus178EB991" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets.json new file mode 100644 index 0000000000000..299d2f1c06fcd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/integ.json new file mode 100644 index 0000000000000..18f50967ebf05 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "eventbue-customer-managed-key-test/DefaultTest": { + "stacks": [ + "eventbue-customer-managed-key" + ], + "assertionStack": "eventbue-customer-managed-key-test/DefaultTest/DeployAssert", + "assertionStackName": "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/manifest.json new file mode 100644 index 0000000000000..1bd01669db3a8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/manifest.json @@ -0,0 +1,119 @@ +{ + "version": "36.0.0", + "artifacts": { + "eventbue-customer-managed-key.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "eventbue-customer-managed-key.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "eventbue-customer-managed-key": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "eventbue-customer-managed-key.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/603e01b8a28b3701dc4a16dcc90ff1b0dd7de76f7c1e20e07b3458a72955b7b0.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "eventbue-customer-managed-key.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "eventbue-customer-managed-key.assets" + ], + "metadata": { + "/eventbue-customer-managed-key/KmsKey/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "KmsKey46693ADD" + } + ], + "/eventbue-customer-managed-key/Bus/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BusEA82B648" + } + ], + "/eventbue-customer-managed-key/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/eventbue-customer-managed-key/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "eventbue-customer-managed-key" + }, + "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "eventbuecustomermanagedkeytestDefaultTestDeployAssertBCCA03C5.assets" + ], + "metadata": { + "/eventbue-customer-managed-key-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/eventbue-customer-managed-key-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "eventbue-customer-managed-key-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/tree.json new file mode 100644 index 0000000000000..8425b89a1bbcb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.js.snapshot/tree.json @@ -0,0 +1,241 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "eventbue-customer-managed-key": { + "id": "eventbue-customer-managed-key", + "path": "eventbue-customer-managed-key", + "children": { + "KmsKey": { + "id": "KmsKey", + "path": "eventbue-customer-managed-key/KmsKey", + "children": { + "Resource": { + "id": "Resource", + "path": "eventbue-customer-managed-key/KmsKey/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": { + "Ref": "AWS::AccountId" + }, + "aws:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/eventbuecustomermanagedkeyBus178EB991" + ] + ] + }, + "kms:EncryptionContext:aws:events:event-bus:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/eventbuecustomermanagedkeyBus178EB991" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "Bus": { + "id": "Bus", + "path": "eventbue-customer-managed-key/Bus", + "children": { + "Resource": { + "id": "Resource", + "path": "eventbue-customer-managed-key/Bus/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Events::EventBus", + "aws:cdk:cloudformation:props": { + "kmsKeyIdentifier": { + "Fn::GetAtt": [ + "KmsKey46693ADD", + "Arn" + ] + }, + "name": "eventbuecustomermanagedkeyBus178EB991" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_events.CfnEventBus", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_events.EventBus", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "eventbue-customer-managed-key/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "eventbue-customer-managed-key/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "eventbue-customer-managed-key-test": { + "id": "eventbue-customer-managed-key-test", + "path": "eventbue-customer-managed-key-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "eventbue-customer-managed-key-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "eventbue-customer-managed-key-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "eventbue-customer-managed-key-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "eventbue-customer-managed-key-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "eventbue-customer-managed-key-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.ts new file mode 100644 index 0000000000000..fc2e9883ec221 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events/test/integ.eventbus-customer-managed-key.ts @@ -0,0 +1,17 @@ +import * as kms from 'aws-cdk-lib/aws-kms'; +import { App, RemovalPolicy, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { EventBus } from 'aws-cdk-lib/aws-events'; + +const app = new App(); +const stack = new Stack(app, 'eventbue-customer-managed-key'); + +const kmsKey =new kms.Key(stack, 'KmsKey', { + removalPolicy: RemovalPolicy.DESTROY, +}); + +new EventBus(stack, 'Bus', { kmsKey }); + +new IntegTest(app, 'eventbue-customer-managed-key-test', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-events/README.md b/packages/aws-cdk-lib/aws-events/README.md index 7dc3377590068..0a9c871d4fddb 100644 --- a/packages/aws-cdk-lib/aws-events/README.md +++ b/packages/aws-cdk-lib/aws-events/README.md @@ -236,3 +236,22 @@ const eventBus = events.EventBus.fromEventBusArn(this, 'ImportedEventBus', 'arn: // now you can just call methods on the eventbus eventBus.grantPutEventsTo(lambdaFunction); ``` + +## Use a customer managed key + +To use a customer managed key for events on the event bus, use the `kmsKey` attribute. + +```ts +import * as kms from 'aws-cdk-lib/aws-kms'; + +declare const kmsKey: kms.IKey; + +new events.EventBus(this, 'Bus', { + kmsKey, +}); +``` + +**Note**: Archives and schema discovery are not supported for event buses encrypted using a customer managed key. +To enable archives or schema discovery on an event bus, choose to use an AWS owned key. +For more information, see [KMS key options for event bus encryption](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-at-rest-key-options.html). + diff --git a/packages/aws-cdk-lib/aws-events/lib/event-bus.ts b/packages/aws-cdk-lib/aws-events/lib/event-bus.ts index 78f533c5a5536..6b164ceae7c84 100644 --- a/packages/aws-cdk-lib/aws-events/lib/event-bus.ts +++ b/packages/aws-cdk-lib/aws-events/lib/event-bus.ts @@ -2,6 +2,7 @@ import { Construct } from 'constructs'; import { Archive, BaseArchiveProps } from './archive'; import { CfnEventBus, CfnEventBusPolicy } from './events.generated'; import * as iam from '../../aws-iam'; +import * as kms from '../../aws-kms'; import { ArnFormat, IResource, Lazy, Names, Resource, Stack, Token } from '../../core'; /** @@ -78,6 +79,13 @@ export interface EventBusProps { * @default - no partner event source */ readonly eventSourceName?: string; + + /** + * The customer managed key that encrypt events on this event bus. + * + * @default - Use an AWS managed key + */ + readonly kmsKey?: kms.IKey; } /** @@ -320,6 +328,7 @@ export class EventBus extends EventBusBase { const eventBus = new CfnEventBus(this, 'Resource', { name: this.physicalName, eventSourceName, + kmsKeyIdentifier: props?.kmsKey?.keyArn, }); this.eventBusArn = this.getResourceArnAttribute(eventBus.attrArn, { @@ -328,6 +337,31 @@ export class EventBus extends EventBusBase { resourceName: eventBus.name, }); + // Allow EventBridge to use customer managed key + // See https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-event-bus-key-policy.html + if (props?.kmsKey) { + props?.kmsKey.addToResourcePolicy(new iam.PolicyStatement({ + resources: ['*'], + actions: ['kms:Decrypt', 'kms:GenerateDataKey', 'kms:DescribeKey'], + principals: [new iam.ServicePrincipal('events.amazonaws.com')], + conditions: { + StringEquals: { + 'aws:SourceAccount': this.stack.account, + 'aws:SourceArn': Stack.of(this).formatArn({ + service: 'events', + resource: 'event-bus', + resourceName: eventBusName, + }), + 'kms:EncryptionContext:aws:events:event-bus:arn': Stack.of(this).formatArn({ + service: 'events', + resource: 'event-bus', + resourceName: eventBusName, + }), + }, + }, + })); + } + this.eventBusName = this.getResourceNameAttribute(eventBus.ref); this.eventBusPolicy = eventBus.attrPolicy; this.eventSourceName = eventBus.eventSourceName; diff --git a/packages/aws-cdk-lib/aws-events/test/event-bus.test.ts b/packages/aws-cdk-lib/aws-events/test/event-bus.test.ts index da4a96a3763e3..7b2a034b64d58 100644 --- a/packages/aws-cdk-lib/aws-events/test/event-bus.test.ts +++ b/packages/aws-cdk-lib/aws-events/test/event-bus.test.ts @@ -2,6 +2,7 @@ import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Template } from '../../assertions'; import * as iam from '../../aws-iam'; import { Effect } from '../../aws-iam'; +import * as kms from '../../aws-kms'; import { Aws, CfnResource, Stack, Arn, App, PhysicalName, CfnOutput } from '../../core'; import { EventBus } from '../lib'; @@ -625,4 +626,112 @@ describe('event bus', () => { actions: ['events:PutEvents'], }))).toThrow('Event Bus policy statements must have a sid'); }); + + test('Event Bus with a customer managed key', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Stack'); + const key = new kms.Key(stack, 'Key'); + + // WHEN + const eventBus = new EventBus(stack, 'Bus', { + kmsKey: key, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Events::EventBus', { + KmsKeyIdentifier: stack.resolve(key.keyArn), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: [ + { + Action: 'kms:*', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':iam::', + { + Ref: 'AWS::AccountId', + }, + ':root', + ], + ], + }, + }, + Resource: '*', + }, + { + Action: [ + 'kms:Decrypt', + 'kms:GenerateDataKey', + 'kms:DescribeKey', + ], + Condition: { + StringEquals: { + 'aws:SourceAccount': { + Ref: 'AWS::AccountId', + }, + 'aws:SourceArn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':events:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':event-bus/StackBusAA0A1E4B', + ], + ], + }, + 'kms:EncryptionContext:aws:events:event-bus:arn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':events:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':event-bus/StackBusAA0A1E4B', + ], + ], + }, + }, + }, + Effect: 'Allow', + Principal: { + Service: 'events.amazonaws.com', + }, + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + }); + }); + });