Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-s3: key rotation is not enabled while creating KMS encrypted S3 buckets #31982

Closed
1 task
animesh-bhadouria opened this issue Nov 1, 2024 · 3 comments · Fixed by #32064
Closed
1 task

aws-s3: key rotation is not enabled while creating KMS encrypted S3 buckets #31982

animesh-bhadouria opened this issue Nov 1, 2024 · 3 comments · Fixed by #32064
Assignees
@xazhao
Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@animesh-bhadouria
Copy link

Describe the bug

If an encryption key is not provided while creating the S3 bucket, then S3 construct creates a key by default but it does not enable key rotation. This could cause a security risk on downstream consumers.

S3 bucket creation where key is created without keyrotation enabled
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160

Similar example with DynamoDb where keyrotation enabled by default
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696

Change should be straightforward since enableKeyRotation doesn’t require a replacement on update.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

S3 created KMS keys to have key rotation enabled

Current Behavior

S3 created KMS keys do not enable key rotation

Reproduction Steps

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160

Possible Solution

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696

Additional Information/Context

No response

CDK CLI Version

Latest

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Java

Language Version

No response

Other information

No response
@animesh-bhadouria animesh-bhadouria added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 1, 2024
@github-actions github-actions bot added the @aws-cdk/aws-kms Related to AWS Key Management label Nov 1, 2024
@ashishdhingra ashishdhingra self-assigned this Nov 1, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 1, 2024
@ashishdhingra
Copy link
Contributor

Per code here, if the props.encryption is set but props.encryptionKey is not specified, then it attempts to create a new KMS Key without enableKeyRotation set to true. Agreed enableKeyRotation should be enabled.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Nov 1, 2024
@ashishdhingra ashishdhingra removed their assignment Nov 1, 2024
@ashishdhingra ashishdhingra added p1 and removed p2 labels Nov 1, 2024
@github-actions github-actions bot mentioned this issue Nov 4, 2024
Closed
@xazhao xazhao self-assigned this Nov 5, 2024
@mellevanderlinde mellevanderlinde mentioned this issue Nov 8, 2024
Merged
1 task
@xazhao xazhao changed the title aws-cdk-lib/aws-s3: Enable key rotation while creating KMS encrypted S3 buckets aws-s3: key rotation is not enabled while creating KMS encrypted S3 buckets Nov 15, 2024
@mergify mergify bot closed this as completed in #32064 Nov 21, 2024
@mergify mergify bot closed this as completed in e3024fc Nov 21, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@xazhao xazhao

Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
3 participants
@animesh-bhadouria @ashishdhingra @xazhao