Closed animesh-bhadouria closed 3 days ago
ashishdhingra
commented
3 weeks ago Per code here, if the props.encryption is set but props.encryptionKey is not specified, then it attempts to create a new KMS Key without enableKeyRotation set to true. Agreed enableKeyRotation should be enabled.
github-actions[bot]
commented
3 days ago Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
github-actions[bot]
commented
3 days ago Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Describe the bug
If an encryption key is not provided while creating the S3 bucket, then S3 construct creates a key by default but it does not enable key rotation. This could cause a security risk on downstream consumers.
S3 bucket creation where key is created without keyrotation enabled https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160
Similar example with DynamoDb where keyrotation enabled by default https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696
Change should be straightforward since enableKeyRotation doesn’t require a replacement on update.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
S3 created KMS keys to have key rotation enabled
Current Behavior
S3 created KMS keys do not enable key rotation
Reproduction Steps
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160
Possible Solution
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696
Additional Information/Context
No response
CDK CLI Version
Latest
Framework Version
No response
Node.js Version
18
OS
AL2
Language
Java
Language Version
No response
Other information
No response