Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

CDK: EventBridge Rule with an SqsQueue, KMS_MANAGED encryption target doesn't error #30549

Closed
cmorikuni-aon opened this issue Jun 13, 2024 · 3 comments
Labels
@aws-cdk/aws-events Related to CloudWatch Events bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-reproduction This issue needs reproduction. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@cmorikuni-aon
Copy link

Describe the bug

Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

CDK synth should error out and force the developer to configure SQS using a customer master key

Expected Behavior

For CDK synth to error out

Current Behavior

Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.

Reproduction Steps

  1. An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.
  2. aws_events_targets calls grantSendMessages on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)
  3. grantSendMessages only configures grantEncryptDecrypt if the queue has a CMK and a encryptionMasterKey property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))
  4. In the case of a KMS_MANAGED queue, encryptionMasterKey is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.135

Framework Version

No response

Node.js Version

v16.17.1

OS

Macos 14.5

Language

Python

Language Version

No response

Other information

No response

@cmorikuni-aon cmorikuni-aon added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 13, 2024
@github-actions github-actions bot added the @aws-cdk/aws-events Related to CloudWatch Events label Jun 13, 2024
@ashishdhingra
Copy link
Contributor

@cmorikuni-aon Good afternoon. Would it be possible for you to share minimal self contained code to help us quickly troubleshoot the issue?

Thanks,
Ashish

@ashishdhingra ashishdhingra added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Jun 13, 2024
@khushail khushail added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 1, 2024
Copy link

github-actions bot commented Jul 2, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 2, 2024
@github-actions github-actions bot closed this as completed Jul 7, 2024
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
@aws-cdk/aws-events Related to CloudWatch Events bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-reproduction This issue needs reproduction. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

4 participants