Open caseytoomey opened 5 months ago
richardkeit
commented
5 months ago Hi @caseytoomey ,
What use-case do you have? Recently the team released ResourcePolicyEnforcementConfig where resource policies can be applied to resources. Using this method, the above required resource statement could be applied.
If you think the AWS should make this the default behaviour, giving an usecase can help with the acceptance and/or prioritization.
Goodluck!
caseytoomey
commented
5 months ago Hi @richardkeit,
Thanks for your response. We are using SNS for alerting and notifications, with the source being EventBridge rules. We use this for application-level messages, and to prioritize and delegate various AWS events. For example, with GuardDuty we conditionally forward events to different SNS topics via EventBridge, depending on severity (via Event patterns). https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
Ideally the SNS KMS key deployed by LZA would support this by default, rather than having to remediate this via Config.
Cheers
Describe the bug We are unable to forwards events from EventBridge rules to SNS topics encrypted with the accelerator central SNS key. Invocations for our event rules show this as failing.
This appears to be due to the condition of the key requiring "aws:SourceAccount" for cloudwatch and events, however this condition doesn't appear to be supported in KMS policy when EventBridge is sending to SNS. More info on the SNS developer guide https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html
"Adding the aws:SourceAccount and aws:SourceArn to a AWS KMS policy is not supported for EventBridge-to-encrypted topics."
To Reproduce Set up Event rule to forward events to an SNS topic encrypted with the key "accelerator/kms/snstopic/key". Trigger event rule to cause failure to invoke.
Expected behavior Topics encrypted with the LZA topics key are able to receive messages from EventBridge.
Please complete the following information about the solution: