E3012 for AWS::Glue::SecurityConfiguration with cfn-lint v1

[dansepp-gale]

CloudFormation Lint Version

cfn-lint 1.3.2

What operating system are you using?

Windows

Describe the bug

The following CloudFormation resource of type AWS::Glue::SecurityConfiguration appears to match the CloudFormation specification for EncryptionConfiguration and S3Encryptions, and was passing cfn-lint checks prior to an upgrade to v1, but now fails:

Error: E3012 [{'KmsKeyArn': {'Fn::GetAtt': ['EncryptionKey', 'Arn']}, 'S3EncryptionMode': 'SSE-KMS'}] is not of type 'object'

Expected behavior

cfn-lint should pass with no errors or warnings.

Reproduction template

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample Glue Security Configuration failing cfn-lint.

Resources:
  EncryptionKey:
    Type: AWS::KMS::Key
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      Description: Glue CMK
      EnableKeyRotation: true
      KeyPolicy:
        Version: 2012-10-17
        Id: glue-key
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow Glue use of key
            Effect: Allow
            Principal:
              Service: "glue.amazonaws.com"
            Action:
              - kms:Decrypt
              - kms:DescribeKey
              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncrypt*
            Resource: "*"
      KeySpec: SYMMETRIC_DEFAULT
      KeyUsage: ENCRYPT_DECRYPT
      PendingWindowInDays: 7

  JobSecurityConfiguration:
    Type: AWS::Glue::SecurityConfiguration
    Properties: 
      EncryptionConfiguration: 
          CloudWatchEncryption: 
            CloudWatchEncryptionMode: SSE-KMS
            KmsKeyArn: !GetAtt EncryptionKey.Arn
          JobBookmarksEncryption: 
            JobBookmarksEncryptionMode: CSE-KMS
            KmsKeyArn: !GetAtt EncryptionKey.Arn
          S3Encryptions:
            - KmsKeyArn: !GetAtt EncryptionKey.Arn
              S3EncryptionMode: 'SSE-KMS'
      Name: "demo-glue-security-config"

[dishikang123]

I am running into the same error with different resource. The sample template is straight from cloudformation reference documentation. The error started to appear after update to v1.3.2

E3012 'SFTP' is not of type 'object'

AWSTemplateFormatVersion: '2010-09-09'
Description: creates SFTP Server
Resources:
    MyTransferServer:
      Type : AWS::Transfer::Server
      Properties :
        EndpointDetails:
          AddressAllocationIds:
            - AddressAllocationId-1
            - AddressAllocationId-2
          SubnetIds:
            - SubnetId-1
            - SubnetId-2
          VpcId: VpcId
        EndpointType: VPC
        LoggingRole: Logging-Role-ARN
        Protocols: 
            - SFTP
        SecurityPolicyName: Security-Policy-Name
        IdentityProviderDetails: 
            InvocationRole: Invocation-Role-ARN
            Url: API_GATEWAY-Invocation-URL
        IdentityProviderType: API_GATEWAY
        Tags: 
          - Key: KeyName
            Value: ValueName

[sheridansmall]

I'm seeing it too on AWS::Transfer::Server as @dishikang123 saw and on AWS::Transfer::User SshPublicKeys using !Ref

[kddejong]

Looks like in the switch to the schemas from the specs the schemas are a little off.

 "S3Encryptions": {
     "$ref": "#/definitions/S3Encryptions"
    }
....
"S3Encryptions": {
   "additionalProperties": false,
   "type": "object"
  }

We can patch the schema appropriately. PR incoming.

[kddejong]

Looks like there about 21 occurrences of which isn't great for json schema based validation. Going to see what I can do to get them patched. I can prioritize and release as needed so if you have any other additional resources you are seeing this one send them over.

{
   "additionalProperties": false,
   "type": "object"
  }

[dansepp-gale]

Thanks @kddejong. I'm not seeing this occurring with any other CFN type in my repos.