Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(events-targets): kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations #31836

Merged
merged 4 commits into from
Oct 23, 2024
Merged

fix(events-targets): kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations #31836

merged 4 commits into from
Oct 23, 2024

Conversation

xazhao
Copy link
Contributor

@xazhao xazhao commented Oct 21, 2024
edited
Loading

Issue # (if applicable)

Closes #10996.

Reason for this change

When a Kinesis Stream is encrypted with a custom managed KMS key, CDK will generate a KMS key for the Kinesis Stream.

stream = new kinesis.Stream(stack, 'MyStream', {
  encryption: kinesis.StreamEncryption.KMS,
});

If it is used as a events target, CDK will provide permissions to the role of target so it can write to the kinesis stream:

{
     Action: ['kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}

If the kinesis is not encrypted with the customer managed kms key, these permissions will be sufficient. However, since the kinesis is encrypted with the the customer managed kms key, the invocation will fail because events doesn't have the permissions to the KMS key.

Actually there's already grantWrite() method to grant sufficient permissions in this case. When a customer managed KMS key is used, it will generate extra policies for the key. We should use it.

aws-cdk/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts

Line 355 in 366b492

public grantWrite(grantee: iam.IGrantable) {

Difference:

these permissions will be added to the event

{
     Action: ['kinesis:ListShards(new permission)', 'kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}

these permissions will be added to the event if the target kinesis stream is using a customer managed KMS key

{
    Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'],
    Effect: 'Allow',
    Resource: streamKeyArn,
},

Description of changes

Use the existing grantWrite() method instead of manipulating IAM policies directly.

Description of how you validated changes

unit tests/integration tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Oct 21, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 21, 2024 18:42
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 21, 2024
@xazhao xazhao added SECURITY pr/do-not-merge This PR should not be merged at this time. labels Oct 21, 2024
@xazhao xazhao marked this pull request as ready for review October 21, 2024 22:04
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 21, 2024
@QuantumNeuralCoder QuantumNeuralCoder added needs-security-review Related to feature or issues that needs security review and removed SECURITY labels Oct 21, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 22, 2024
@xazhao xazhao removed the pr/do-not-merge This PR should not be merged at this time. label Oct 23, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: c85a454
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 58dfda0 into aws:main Oct 23, 2024
9 checks passed
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@moelasmar moelasmar moelasmar approved these changes

@GavinZZ GavinZZ GavinZZ approved these changes

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort needs-security-review Related to feature or issues that needs security review p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[aws-events-targets] Kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations
5 participants
@xazhao @aws-cdk-automation @GavinZZ @moelasmar @QuantumNeuralCoder