Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3: bucketKey should support SSE-S3 #30183

Closed
pahud opened this issue May 13, 2024 · 3 comments · Fixed by #30184 or rwlxxvii/containers#140 · May be fixed by NOUIY/aws-solutions-constructs#103, Opetushallitus/heratepalvelu#280 or NOUIY/aws-solutions-constructs#104
Closed

s3: bucketKey should support SSE-S3 #30183

pahud opened this issue May 13, 2024 · 3 comments · Fixed by #30184 or rwlxxvii/containers#140 · May be fixed by NOUIY/aws-solutions-constructs#103, Opetushallitus/heratepalvelu#280 or NOUIY/aws-solutions-constructs#104
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@pahud
Copy link
Contributor

pahud commented May 13, 2024
edited
Loading

Describe the bug

bucketKeyEnabled not allowed when the encryption is SSE-S3.

aws-cdk/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts

Lines 577 to 587 in 65f2bd9

test('throws error if bucketKeyEnabled is set, but encryption is not KMS', () => {
const stack = new cdk.Stack();
expect(() => {
new s3.Bucket(stack, 'MyBucket', { bucketKeyEnabled: true, encryption: s3.BucketEncryption.S3_MANAGED });
}).toThrow("bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: S3_MANAGED)");
expect(() => {
new s3.Bucket(stack, 'MyBucket3', { bucketKeyEnabled: true });
}).toThrow("bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: UNENCRYPTED)");
});

But there's no document about this restriction and CloudFormation and console actually allow you to specify that.

image

Workaround:

    // create a s3 bucket with SSE
    const bucket = new s3.Bucket(this, 'Bucket', {
      encryption: s3.BucketEncryption.S3_MANAGED,
    });
    (bucket.node.defaultChild as s3.CfnBucket).addPropertyOverride('BucketEncryption.ServerSideEncryptionConfiguration.0.BucketKeyEnabled', true)

Expected Behavior

Allows BucketEncryption with SSE-S3.

Current Behavior

not allowed

Reproduction Steps

 const bucket = new s3.Bucket(this, 'Bucket', {
      encryption: s3.BucketEncryption.S3_MANAGED,
      bucketKeyEnabled: true,
    });

Possible Solution

fix the logic here

aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

Lines 2130 to 2136 in 65f2bd9

// if bucketKeyEnabled is set, encryption must be set to KMS or DSSE.
if (
props.bucketKeyEnabled &&
![BucketEncryption.KMS, BucketEncryption.KMS_MANAGED, BucketEncryption.DSSE, BucketEncryption.DSSE_MANAGED].includes(encryptionType)
) {
throw new Error(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`);
}

Additional Information/Context

No response

CDK CLI Version

v2.141.0

Framework Version

No response

Node.js Version

all

OS

all

Language

TypeScript

Language Version

No response

Other information

No response
@pahud pahud added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 13, 2024
@pahud
Copy link
Contributor Author

pahud commented May 13, 2024

internal tracking - V1376578494

@pahud pahud mentioned this issue May 13, 2024
Merged
1 task
@pahud pahud added the @aws-cdk/aws-s3 Related to Amazon S3 label May 13, 2024
@mergify mergify bot closed this as completed in #30184 May 16, 2024
mergify bot pushed a commit that referenced this issue May 16, 2024
@pahud
fix(s3): bucketKey does not support SSE-S3 (#30184)
c7c75f8 
### Issue # (if applicable)

Closes #30183 

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
atanaspam pushed a commit to atanaspam/aws-cdk that referenced this issue Jun 3, 2024
@pahud @atanaspam
fix(s3): bucketKey does not support SSE-S3 (aws#30184)
a62add2 
### Issue # (if applicable)

Closes aws#30183 

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@NOUIY NOUIY mentioned this issue Jun 14, 2024
Open
@snyk-io snyk-io bot mentioned this issue Jun 20, 2024
Open
@NOUIY NOUIY mentioned this issue Jun 20, 2024
Open
@snyk-io snyk-io bot mentioned this issue Jun 21, 2024
Open
@rwlxxvii rwlxxvii mentioned this issue Jun 22, 2024
Merged
This was referenced Jun 22, 2024
Open
Open
This was referenced Jul 5, 2024
Open
Open
This was referenced Jul 16, 2024
Open
Open
@NOUIY NOUIY mentioned this issue Jul 23, 2024
Open
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
2 participants
@pahud @aws-cdk-automation