Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use wildcard in KMS key policy instead of referencing Distribution to avoid circular dependency #31227

Merged
merged 6 commits into from
Aug 28, 2024

Conversation

samson-keung
Copy link
Contributor

@samson-keung samson-keung commented Aug 27, 2024

Making the KMS key policy to use wildcard instead on the distribution id part instead of referencing the Distribution resource to get the exact distribution ID. This breaks the circular dependency in the template.

@samson-keung samson-keung requested a review from gracelu0 August 27, 2024 06:11
@github-actions github-actions bot added the p2 label Aug 27, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team August 27, 2024 06:11
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 27, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@@ -84,15 +110,8 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
}

if (bucket.encryptionKey) {
let bucketName = bucket.bucketName;
if (Token.isUnresolved(bucket.bucketName)) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this because turns out bucket.bucketName is always unresolved as it returns CFN reference to the bucket (i.e. !Ref bucket). It is set here.

}

if (!bucketName) {
throw new Error(`Cannot assemble static DomainName as bucket ${bucket.node.id} has no bucketName set.`);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see it's getting the bucket name using

${(bucket.node.defaultChild as CfnBucket).bucketName}

at Line 132. Do we still need to check Token.isUnresolved(bucket.bucketName)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! We do. Thank you.

I will cache the bucketName in the class and reuse it at Line 132.

I will change this PR to Draft as well since this approach is pending security discussion.

@samson-keung samson-keung marked this pull request as draft August 27, 2024 23:22
@@ -165,6 +166,221 @@ describe('S3BucketOrigin', () => {
});
});

describe('when using bucket with KMS Customer Managed key', () => {
it('should match expected template resource', () => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more unit test is needed to test escape hatch. PR to come

@samson-keung samson-keung changed the title Introduce assembleDomainName option in S3BucketOrigin.withOriginAccessControl Use wildcard in KMS key policy instead of referencing Distribution to avoid circular dependency Aug 28, 2024
@samson-keung samson-keung marked this pull request as ready for review August 28, 2024 19:20
},
},
},
);
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicy',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicy',
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac',

Comment on lines 87 to 91
Annotations.of(scope).addInfo(
`Granting OAC permissions to access KMS key for S3 bucket origin ${bucketName} may cause a circular dependency error when this stack deploys.\n` +
`Granting OAC permissions to access KMS key for S3 bucket origin ${bucket.node.id} may cause a circular dependency error when this stack deploys.\n` +
'The key policy references the distribution\'s id, the distribution references the bucket, and the bucket references the key.\n'+
'See the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README for more details.\n',
);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still need this info message or can we combine it with the warning about wildcard? Since with the wildcard policy they most likely will not run into the circular dependency error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested a warning message below which combines the two.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree this message should not be needed anymore. I have removed it in the latest commit. Also updated the other warning to capture the info in your suggest warning message.

},
},
},
);
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicy',
'Using wildcard to match all Distribution IDs in Key policy condition.\n' +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'Using wildcard to match all Distribution IDs in Key policy condition.\n' +
`A wildcard is used to grant OAC permissions for the KMS key access to the S3 bucket origin ${bucket.node.id} to resolve a circular dependency between the key policy, distribution, and bucket.\n` +
'To follow best security practices and avoid unintended access, do not rely on this default.\n' +
'Instead, you scope down the policy condition to the specific distribution. Refer to the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README for guidance.'

Copy link
Contributor

@gracelu0 gracelu0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@aws-cdk-automation
Copy link
Collaborator

The pull request linter fails with the following errors:

❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing Exemption Request and/or Clarification Request.

@gracelu0 gracelu0 merged commit c8eaa3e into aws:gracelu0/s3-oac-l2 Aug 28, 2024
7 of 8 checks passed
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants