search

serverless / serverless

⚡ Serverless Framework – Effortlessly build apps that auto-scale, incur zero costs when idle, and require minimal maintenance using AWS Lambda and other managed cloud services.
https://serverless.com
MIT License
46.47k stars 5.72k forks source link

deploymentBucket serverSideEncryption does not work with kms configuration #11749

Open adamyodinsky opened 1 year ago

adamyodinsky commented 1 year ago

Are you certain it's a bug?

Is the issue caused by a plugin?

Are you using the latest v3 release?

Is there an existing issue for this?

Issue description

I'm having an issue with using KMS for the deployment bucket as described in the documentation under "Deployment bucket".

provider:
  deploymentBucket:
    serverSideEncryption: "aws:kms"
    sseKMSKeyId: "alias/aws/s3"

Getting in the update stack file (cloudformation-template-update-stack.json) with "SSEAlgorithm": "AES256", not kms. 

"Resources": {
    "ServerlessDeploymentBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
              }
            }
            ...

Service configuration (serverless.yml) content

service: myserverless

frameworkVersion: '2 || 3'

variablesResolutionMode: '20210326'

plugins:
  - serverless-offline

package:
  patterns:
    - '!**'
    - 'src/**'
    - 'templates/**'
    - 'get_folder/**'

custom:
  aws_account: ${aws:accountId}

provider:
  deploymentBucket:
    serverSideEncryption: 'aws:kms'
    sseKMSKeyId: 'alias/aws/s3'
    blockPublicAccess: true
    tags:
      "test": "3"
  name: aws
  region: us-west-2
  runtime: python3.8
  lambdaHashingVersion: '20201221'
  stage: 'dev'
  httpApi:
    useProviderTags: true
  tags:
    "test": "3"
  iam:
    role:
      name: <role-arn-masked>
      permissionsBoundary: <policy-arn-masked>
      tags:
        "test": "3"

functions:
  getIndex:
    handler: src/render_template.handler
    environment:
      template_env: ${file(./get_folder/get_folder.js)}
    tags:
      "test": "3"

Command name and used flags

serverless package, serverless deploy

Command output

Running "serverless" from node_modules

Packaging cosv3sls-myserverless-adam-101 for stage dev (us-west-2)

✔ Service packaged (0s)

3 deprecations found: run 'serverless doctor' for more details

Environment information

Running "serverless" from node_modules
Framework Core: 3.27.0 (local) 3.20.0 (global)
Plugin: 6.2.3
SDK: 4.3.2
medikoo commented 1 year ago

@adamyodinsky I think originally the intention behind aws:kms setting was only to lift signatureVersion to v4. See this discussion: https://github.com/serverless/serverless/pull/3804/files#r122407453

I'm not deeply familiar with this matter and whether something more should be done

carlos-delangel commented 1 year ago

Probably related to AWS adding default encryption on Jan 15th, 2023. Adding a valid KMS Key ID as before won't work anymore

medikoo commented 1 year ago

@carlos-delangel so you mean it worked before, and now stopped working because of changes on AWS side?

If that's the case we'll definitely open for PR that improves things

carlos-delangel commented 1 year ago

It used to work previously with deploymentBucket under provider set to:

serverSideEncryption: 'aws:kms' kmsKeyID: 'alias'

I tried switching to sseKMSKeyId but it did still not work for me. Ended up moving to use aws-cli for now.

mandava-asha commented 1 year ago

I tried serverSideEncryption: aws:kms and kmsKeyID/sseKMSKeyId . It is not working. I think plugin and serverless versions are not compatible. It worked for me in the past

Vizz85 commented 1 year ago

I'm having the same issue. As a workaround I'm exporting the bucket name with the serverless-export-outputs plugin and calling aws s3api put-bucket-encryption in my gitlab ci. A lot of overhead, I hope in a fix for this in the future.