Description
-
I'm submitting a ...
- πͺ² bug report
- π feature request
- π construct library gap
- βοΈ security issue or vulnerability => Please see policy
- β support request => Please see note at the top of this template.
-
What is the current behavior?
If the current behavior is a πͺ²bugπͺ²: Please provide the steps to reproduce
When creating a Customer Managed KMS Key the generated resource policy for the account principal is incomplete. At least when it comes to S3 buckets.
Create KMS Key and bucke with KMS enabled
const kmsKey = new kms.Key(this, 'KeyName', {
enableKeyRotation: true,
enabled: true,
removalPolicy: cdk.RemovalPolicy.DESTROY
});
new s3.Bucket(this, 'MyBucket', {
encryption: s3.BucketEncryption.KMS,
encryptionKey: kmsKey,
removalPolicy: cdk.RemovalPolicy.DESTROY
});With this default configuration the key generated is missing an action for to be able to write to S3 buckets (read seems to not be affected). With the cli, sdk or console no create (put or otherwise) on the bucket is allowed.
The error given through the aws cli is "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"
The fix according to this AWS support article is to add the following to the actions statement kms:GenerateDataKey.
- What is the expected behavior (or behavior of feature suggested)?
Expected behaviour is that write operations to S3 buckets should work.
- What is the work around if any?
The work around is to add the following to the CDK code.
kmsKey.addToResourcePolicy(
new iam.PolicyStatement({
actions: ['kms:GenerateDataKey'],
principals: [new iam.AccountPrincipal(cdk.Aws.ACCOUNT_ID)],
resources: ["*"]
})
);or this, which is more precise
kmsKey.addToResourcePolicy(
new iam.PolicyStatement({
actions: ['kms:GenerateDataKey'],
principals: [new iam.AccountRootPrincipal()],
resources: ['*']
})
);This completes the resource policy and write operations to S3 now work.
-
Please tell us about your environment:
- CDK CLI Version: 1.2.0
- Module Version: ?
- OS: [all]
- Language: [Typescript ]