Open cmorikuni-aon opened 2 weeks ago
Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
CDK synth should error out and force the developer to configure SQS using a customer master key
For CDK synth to error out
Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.
aws_events_targets
grantSendMessages
grantEncryptDecrypt
encryptionMasterKey
No response
2.135
v16.17.1
Macos 14.5
Python
@cmorikuni-aon Good afternoon. Would it be possible for you to share minimal self contained code to help us quickly troubleshoot the issue?
Thanks, Ashish
Describe the bug
Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
CDK synth should error out and force the developer to configure SQS using a customer master key
Expected Behavior
For CDK synth to error out
Current Behavior
Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.
Reproduction Steps
aws_events_targets
callsgrantSendMessages
on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)grantSendMessages
only configuresgrantEncryptDecrypt
if the queue has a CMK and aencryptionMasterKey
property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))encryptionMasterKey
is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.135
Framework Version
No response
Node.js Version
v16.17.1
OS
Macos 14.5
Language
Python
Language Version
No response
Other information
No response