deploymentBucket serverSideEncryption does not work with kms configuration

[adamyodinsky]

Are you certain it's a bug?

• Yes, it looks like a bug

Is the issue caused by a plugin?

• It is not a plugin issue

Are you using the latest v3 release?

• Yes, I'm using the latest v3 release

Is there an existing issue for this?

• I have searched existing issues, it hasn't been reported yet

Issue description

I'm having an issue with using KMS for the deployment bucket as described in the documentation under "Deployment bucket".

provider:
  deploymentBucket:
    serverSideEncryption: "aws:kms"
    sseKMSKeyId: "alias/aws/s3" 

Getting in the update stack file (cloudformation-template-update-stack.json)
with "SSEAlgorithm": "AES256", not kms.

"Resources": {
    "ServerlessDeploymentBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
              }
            }
            ...

Service configuration (serverless.yml) content

service: myserverless

frameworkVersion: '2 || 3'

variablesResolutionMode: '20210326'

plugins:
  - serverless-offline

package:
  patterns:
    - '!**'
    - 'src/**'
    - 'templates/**'
    - 'get_folder/**'

custom:
  aws_account: ${aws:accountId}


provider:
  deploymentBucket:
    serverSideEncryption: 'aws:kms'
    sseKMSKeyId: 'alias/aws/s3'
    blockPublicAccess: true
    tags:
      "test": "3"
  name: aws
  region: us-west-2
  runtime: python3.8
  lambdaHashingVersion: '20201221'
  stage: 'dev'
  httpApi:
    useProviderTags: true
  tags:
    "test": "3"
  iam:
    role:
      name: <role-arn-masked>
      permissionsBoundary: <policy-arn-masked>
      tags:
        "test": "3"

functions:
  getIndex:
    handler: src/render_template.handler
    environment:
      template_env: ${file(./get_folder/get_folder.js)}
    tags:
      "test": "3"

Command name and used flags

serverless package, serverless deploy

Command output

Running "serverless" from node_modules

Packaging cosv3sls-myserverless-adam-101 for stage dev (us-west-2)

✔ Service packaged (0s)

3 deprecations found: run 'serverless doctor' for more details

Environment information

Running "serverless" from node_modules
Framework Core: 3.27.0 (local) 3.20.0 (global)
Plugin: 6.2.3
SDK: 4.3.2

[medikoo]

@adamyodinsky I think originally the intention behind aws:kms setting was only to lift signatureVersion to v4. See this discussion: https://github.com/serverless/serverless/pull/3804/files#r122407453

I'm not deeply familiar with this matter and whether something more should be done

[carlos-delangel]

Probably related to AWS adding default encryption on Jan 15th, 2023.
Adding a valid KMS Key ID as before won't work anymore

[medikoo]

@carlos-delangel so you mean it worked before, and now stopped working because of changes on AWS side?

If that's the case we'll definitely open for PR that improves things

[carlos-delangel]

It used to work previously with deploymentBucket under provider set to:

serverSideEncryption: 'aws:kms'
kmsKeyID: 'alias'

I tried switching to sseKMSKeyId but it did still not work for me.
Ended up moving to use aws-cli for now.

[mandava-asha]

I tried serverSideEncryption: aws:kms and kmsKeyID/sseKMSKeyId . It is not working. I think plugin and serverless versions are not compatible. It worked for me in the past

[Vizz85]

I'm having the same issue.
As a workaround I'm exporting the bucket name with the serverless-export-outputs plugin and calling aws s3api put-bucket-encryption in my gitlab ci. A lot of overhead, I hope in a fix for this in the future.