Update Soft Fail Logic when customer attempts to modify tags

aws-cloudformation / aws-cloudformation-resource-providers-kms

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

https://aws.amazon.com/kms/

Apache License 2.0

14 stars 12 forks source link

Update Soft Fail Logic when customer attempts to modify tags #39

Closed sruthisrip closed 2 years ago

sruthisrip commented 2 years ago

Description of changes: Update Soft Fail Logic when customer attempts to modify tags. Handler returns a failure if keys are updated by a customer who does not have the permissions to update tags.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

jtcul commented 2 years ago

Whatever you do for the key resource you need to also do for replicakey. I might advise moving this change out of key's UpdateHandler and into the common KeyHandlerHelper.

We should NOT do this for ReplicaKey. It does not have soft failing for tag updates, because it has always required tagging permission, unlike Key. Key must continue to support soft failing for the sake of backwards compatibility.