Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(sns-subscriptions): add SourceArn condition to CMK policy when subscribing SQS to SNS #20339

Open
2 tasks
HansFalkenberg-Visma opened this issue May 13, 2022 · 4 comments
Open
2 tasks

(sns-subscriptions): add SourceArn condition to CMK policy when subscribing SQS to SNS #20339

HansFalkenberg-Visma opened this issue May 13, 2022 · 4 comments
Labels
@aws-cdk/aws-sns-subscriptions effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@HansFalkenberg-Visma
Copy link

HansFalkenberg-Visma commented May 13, 2022
edited

Describe the feature

When topic.addSubscription is used with an SqsSubscription referencing a queue with SSE encryption enabled, the queue's CMK policy is extended to allow the SNS service principal for all accounts. This was implemented in #14960

The generated statement should include a condition to restrict usage to the specific topic, ie.

            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:sns:REGION:ACCOUNT:TOPIC"
                }
            }

Use Case

To help prevent an AWS service from being used as a confused deputy in a policy where the principal is an AWS service principal, you can use the aws:SourceArn or aws:SourceAccount global condition keys.

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html

This was apparently not possible before. While this is a security improvement, I do not believe it rates reporting as a security vulnerability, because

Proposed Solution

The implementation itself should be trivial because the necessary code is already in https://github.com/aws/aws-cdk/blob/v2-main/packages/%40aws-cdk/aws-sns-subscriptions/lib/sqs.ts for the queue's policy.

Simply add three lines to

    if (this.queue.encryptionMasterKey) {
      this.queue.encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement({
        resources: ['*'],
        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
        principals: [snsServicePrincipal],
      }));
    }

like so

    if (this.queue.encryptionMasterKey) {
      this.queue.encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement({
        resources: ['*'],
        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
        principals: [snsServicePrincipal],
        conditions: {
          ArnEquals: { 'aws:SourceArn': topic.topicArn },
        },
      }));
    }

I don't know that a workaround is currently possible. I tried adding the more restrictive policy (with the condition) to the CMK first, but CDK will always add the more permissive policy (without the condition) with no (easily available) interfaces for removing it again.

Other Information

This would not be a breaking change to the CDK API, but the generated policy would be more restrictive. Solutions that have -- erroneously, I would say -- depended on the too permissive policy for use by SNS topics not managed by the same CDK application/stack might have issues. They have the simple fix of explicitly adding back the permissive policy statement to the CMK.

The following is the exact statement that was generated before the proposed change. After the change it would be replaced by a more restrictive statement, one per topic (with each topic's ARN as a condition). This can of course be used as is, but it might be just as easy to add statements with ARN conditions for the other topics too:

        {
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        }

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

v2.24.1

Environment details (OS name and version, etc.)

n/a
@HansFalkenberg-Visma HansFalkenberg-Visma added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 13, 2022
Closed
@kaizencc kaizencc changed the title aws-sns-subscriptions: add SourceArn condition to CMK policy when subscribing SQS to SNS (sns-subscriptions): add SourceArn condition to CMK policy when subscribing SQS to SNS May 16, 2022
@kaizencc kaizencc added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 24, 2022
@kaizencc kaizencc removed their assignment May 24, 2022
@daschaa daschaa mentioned this issue May 27, 2022
Merged
4 tasks
mergify bot pushed a commit that referenced this issue Jul 8, 2022
@daschaa
fix(sns-subscriptions): restrict encryption of queue to only the resp…
4e0c80f 
…ective sns topic (under feature flag) (#20521)

Implements #20339 

The change adds a conditional that only the corresponding SNS Topic can decrypt the SQS queue with the KMS-Key if one was given.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
daschaa added a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
@daschaa
fix(sns-subscriptions): restrict encryption of queue to only the resp…
f7f9ff2 
…ective sns topic (under feature flag) (aws#20521)

Implements aws#20339 

The change adds a conditional that only the corresponding SNS Topic can decrypt the SQS queue with the KMS-Key if one was given.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@daschaa
Copy link
Contributor

daschaa commented Jul 15, 2022

With #20521 now implemented, can this be closed?

@tanyalava
Copy link

Just like snsServicePrincipal is used to access the service sns.amazonaws.com, is there a principal to access s3.amazonaws.com ?

@khushail
Copy link
Contributor

khushail commented Jun 6, 2024

@HansFalkenberg-Visma , since @daschaa has provided the Fix and PR is merged, could I close this issue ?

@khushail khushail added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 6, 2024
@HansFalkenberg-Visma
Copy link
Author

Yes, with my cdk.json looking like this it now adds the expected condition to the key's policy:

{
  "app": "npx ts-node --prefer-ts-exts cdk/bin/aws.ts",
  "context": {
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true
  }
}

I assume the s in Descryption is a typo, but nothing to do about that now.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-sns-subscriptions effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kaizencc @tanyalava @daschaa @HansFalkenberg-Visma @khushail