Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-sns] SNS encryption should support KMS keys cross acount #10055

Closed
relm923 opened this issue Aug 29, 2020 · 0 comments · Fixed by #10056
Closed

[aws-sns] SNS encryption should support KMS keys cross acount #10055

relm923 opened this issue Aug 29, 2020 · 0 comments · Fixed by #10056
Assignees
@MrArnoldPalmer
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged.

Comments

@relm923
Copy link
Contributor

relm923 commented Aug 29, 2020
edited

The current aws-sns module supports enabling encryption with KMS CMKs but only works when the key and the topic reside in the same account because CDK is using the KMS KeyId link instead of the KMS KeyArn

Reproduction Steps

// Creating Stack in account 222222222222

const myKeyImported = kms.Key.fromKeyArn(this, 'MyImportedKey', 'arn:aws:kms:us-east-1:111111111111:key/1234abcd-12ab-34cd-56ef-1234567890ab');

const topic = new Topic(this, 'MyEncryptedTopic', { masterKey: myKeyImported });

// Resulting CF template has:
KmsMasterKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"

What did you expect to happen?

The topic should be configured with the KMS keyArn so the account information is retained correctly

What actually happened?

This topic will be unusable because SNS/KMS cannot locate the specified key it in account 222222222222

Environment

  • **CLI Version : ** 1.61.1
  • **Framework Version: ** 1.61.1
  • Node.js Version: 12.18.3
  • OS : MacOS
  • Language (Version): TypeScript (3.8.3)

Other

AWS Docs

Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

This is 🐛 Bug Report
@relm923 relm923 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2020
@github-actions github-actions bot added the @aws-cdk/aws-sns Related to Amazon Simple Notification Service label Aug 29, 2020
relm923 added a commit to relm923/aws-cdk that referenced this issue Aug 29, 2020
@relm923
fix(aws-sns): enable topic encryption with cross account keys
41387c8 
fixes: aws#10055
@relm923 relm923 mentioned this issue Aug 29, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Aug 31, 2020
@mergify mergify bot closed this as completed in #10056 Sep 2, 2020
mergify bot pushed a commit that referenced this issue Sep 2, 2020
@relm923
fix(aws-sns): enable topic encryption with cross account keys (#10056)
327b72a 
fixes: #10055


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MrArnoldPalmer MrArnoldPalmer

Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-sns): enable topic encryption with cross account keys relm923/aws-cdk
3 participants
@relm923 @MrArnoldPalmer @SomayaB