feat(schedule-alpha): support customer managed KMS keys (#27609)

Allows to specify a customer-managed KMS key for encryption. Example: ```ts declare const key: kms.Key; declare const fn: lambda.Function; const target = new targets.LambdaInvoke(fn, { input: ScheduleTargetInput.fromObject({ "payload": "useful", }), }); const schedule = new Schedule(this, 'Schedule', { schedule: ScheduleExpression.rate(Duration.minutes(10)), target, key, }); ``` Closes #27543. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 20, 2023 · df24d22 · df24d22
1 parent a1ad28b
commit df24d22
Show file tree

Hide file tree

Showing 11 changed files with 359 additions and 11 deletions.
diff --git a/packages/@aws-cdk/aws-scheduler-alpha/README.md b/packages/@aws-cdk/aws-scheduler-alpha/README.md
@@ -201,7 +201,31 @@ Executing cross-account and cross-region targets are not supported yet.
 
 ### Specifying Encryption key
 
-TODO: Not yet implemented. See section in [L2 Event Bridge Scheduler RFC](https://github.com/aws/aws-cdk-rfcs/blob/master/text/0474-event-bridge-scheduler-l2.md)
+EventBridge Scheduler integrates with AWS Key Management Service (AWS KMS) to encrypt and decrypt your data using an AWS KMS key. 
+EventBridge Scheduler supports two types of KMS keys: AWS owned keys, and customer managed keys.
+
+By default, all events in Scheduler are encrypted with a key that AWS owns and manages. 
+If you wish you can also provide a customer managed key to encrypt and decrypt the payload that your schedule delivers to its target using the `key` property. 
+Target classes will automatically add AWS KMS Decrypt permission to your schedule's execution role permissions policy.
+
+```ts
+declare const key: kms.Key;
+declare const fn: lambda.Function;
+
+const target = new targets.LambdaInvoke(fn, {
+    input: ScheduleTargetInput.fromObject({
+        payload: 'useful',
+    }),
+});
+
+const schedule = new Schedule(this, 'Schedule', {
+    schedule: ScheduleExpression.rate(Duration.minutes(10)),
+    target,
+    key,
+});
+```
+
+> Visit [Data protection in Amazon EventBridge Scheduler](https://docs.aws.amazon.com/scheduler/latest/UserGuide/data-protection.html) for more details.
 
 ## Error-handling 
 

diff --git a/packages/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts b/packages/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts
@@ -1,5 +1,6 @@
 import { IResource, Resource } from 'aws-cdk-lib';
 import * as cloudwatch from 'aws-cdk-lib/aws-cloudwatch';
+import * as kms from 'aws-cdk-lib/aws-kms';
 import { CfnSchedule } from 'aws-cdk-lib/aws-scheduler';
 import { Construct } from 'constructs';
 import { IGroup } from './group';
@@ -22,6 +23,11 @@ export interface ISchedule extends IResource {
    * The arn of the schedule.
    */
   readonly scheduleArn: string;
+
+  /**
+   * The customer managed KMS key that EventBridge Scheduler will use to encrypt and decrypt your data.
+   */
+  readonly key?: kms.IKey;
 }
 
 /**
@@ -67,6 +73,13 @@ export interface ScheduleProps {
    * @default true
    */
   readonly enabled?: boolean;
+
+  /**
+   * The customer managed KMS key that EventBridge Scheduler will use to encrypt and decrypt your data.
+   *
+   * @default - All events in Scheduler are encrypted with a key that AWS owns and manages.
+   */
+  readonly key?: kms.IKey;
 }
 
 /**
@@ -179,6 +192,11 @@ export class Schedule extends Resource implements ISchedule {
    */
   public readonly scheduleName: string;
 
+  /**
+   * The customer managed KMS key that EventBridge Scheduler will use to encrypt and decrypt your data.
+   */
+  readonly key?: kms.IKey;
+
   constructor(scope: Construct, id: string, props: ScheduleProps) {
     super(scope, id, {
       physicalName: props.scheduleName,
@@ -188,13 +206,19 @@ export class Schedule extends Resource implements ISchedule {
 
     const targetConfig = props.target.bind(this);
 
+    this.key = props.key;
+    if (this.key) {
+      this.key.grantEncryptDecrypt(targetConfig.role);
+    }
+
     const resource = new CfnSchedule(this, 'Resource', {
       name: this.physicalName,
       flexibleTimeWindow: { mode: 'OFF' },
       scheduleExpression: props.schedule.expressionString,
       scheduleExpressionTimezone: props.schedule.timeZone?.timezoneName,
       groupName: this.group?.groupName,
       state: (props.enabled ?? true) ? 'ENABLED' : 'DISABLED',
+      kmsKeyArn: this.key?.keyArn,
       target: {
         arn: targetConfig.arn,
         roleArn: targetConfig.role.roleArn,

diff --git a/...ws-scheduler-alpha/test/integ.schedule.js.snapshot/aws-cdk-scheduler-schedule.assets.json b/...ws-scheduler-alpha/test/integ.schedule.js.snapshot/aws-cdk-scheduler-schedule.assets.json
diff --git a/...-scheduler-alpha/test/integ.schedule.js.snapshot/aws-cdk-scheduler-schedule.template.json b/...-scheduler-alpha/test/integ.schedule.js.snapshot/aws-cdk-scheduler-schedule.template.json
@@ -67,6 +67,37 @@
     }
    }
   },
+  "RoleDefaultPolicy5FFB7DAB": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "ScheduleKey7E6B3A92",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "RoleDefaultPolicy5FFB7DAB",
+    "Roles": [
+     {
+      "Ref": "Role1ABCC5F0"
+     }
+    ]
+   }
+  },
   "DefaultSchedule597B0B2C": {
    "Type": "AWS::Scheduler::Schedule",
    "Properties": {
@@ -128,6 +159,72 @@
     "Statistic": "Sum",
     "Threshold": 1
    }
+  },
+  "ScheduleKey7E6B3A92": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "CustomerKmsSchedule12B1FEFE": {
+   "Type": "AWS::Scheduler::Schedule",
+   "Properties": {
+    "FlexibleTimeWindow": {
+     "Mode": "OFF"
+    },
+    "KmsKeyArn": {
+     "Fn::GetAtt": [
+      "ScheduleKey7E6B3A92",
+      "Arn"
+     ]
+    },
+    "ScheduleExpression": "rate(12 hours)",
+    "ScheduleExpressionTimezone": "Etc/UTC",
+    "State": "ENABLED",
+    "Target": {
+     "Arn": {
+      "Fn::GetAtt": [
+       "Function76856677",
+       "Arn"
+      ]
+     },
+     "RoleArn": {
+      "Fn::GetAtt": [
+       "Role1ABCC5F0",
+       "Arn"
+      ]
+     }
+    }
+   }
   }
  },
  "Parameters": {

diff --git a/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/cdk.out b/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/cdk.out
diff --git a/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/integ.json b/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/integ.json
diff --git a/...t/integ.schedule.js.snapshot/integtestscheduleDefaultTestDeployAssert24CB3896.assets.json b/...t/integ.schedule.js.snapshot/integtestscheduleDefaultTestDeployAssert24CB3896.assets.json
diff --git a/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/manifest.json b/packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.js.snapshot/manifest.json