aws
diff --git a/‎packages/@aws-cdk/aws-cloudfront/lib/distribution.ts‎
Lines changed: 1 addition & 4 deletions b/‎packages/@aws-cdk/aws-cloudfront/lib/distribution.ts‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts‎
Lines changed: 1 addition & 4 deletions b/‎packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json‎
Lines changed: 0 additions & 58 deletions b/‎packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json‎
Lines changed: 0 additions & 58 deletions
diff --git a/‎packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json‎
Lines changed: 0 additions & 58 deletions b/‎packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json‎
Lines changed: 0 additions & 58 deletions
diff --git a/‎packages/@aws-cdk/aws-ec2/README.md‎
Lines changed: 31 additions & 0 deletions b/‎packages/@aws-cdk/aws-ec2/README.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-ec2/lib/private/ebs-util.ts‎
Lines changed: 21 additions & 2 deletions b/‎packages/@aws-cdk/aws-ec2/lib/private/ebs-util.ts‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-ec2/lib/volume.ts‎
Lines changed: 12 additions & 1 deletion b/‎packages/@aws-cdk/aws-ec2/lib/volume.ts‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts‎
Lines changed: 0 additions & 1 deletion b/‎packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-ec2/test/instance.test.ts‎
Lines changed: 28 additions & 0 deletions b/‎packages/@aws-cdk/aws-ec2/test/instance.test.ts‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs.expected.json‎
Lines changed: 0 additions & 47 deletions b/‎packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs.expected.json‎
Lines changed: 0 additions & 47 deletions
@@ -430,10 +430,7 @@ export class Distribution extends Resource implements IDistribution {
       throw new Error('Explicitly disabled logging but provided a logging bucket.');
     }
 
-    const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', {
-      encryption: s3.BucketEncryption.S3_MANAGED,
-      enforceSSL: true,
-    });
+    const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket');
     return {
       bucket: bucket.bucketRegionalDomainName,
       includeCookies: props.logIncludesCookies,
 
@@ -954,10 +954,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
     }
 
     if (props.loggingConfig) {
-      this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket', {
-        encryption: s3.BucketEncryption.S3_MANAGED,
-        enforceSSL: true,
-      });
+      this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket');
       distributionConfig = {
         ...distributionConfig,
         logging: {
 
@@ -75,67 +75,9 @@
     },
     "AnAmazingWebsiteProbably2LoggingBucket222F7CE9": {
       "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        }
-      },
       "UpdateReplacePolicy": "Retain",
       "DeletionPolicy": "Retain"
     },
-    "AnAmazingWebsiteProbably2LoggingBucketPolicyE298B456": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "AnAmazingWebsiteProbably2LoggingBucket222F7CE9"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "s3:*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::GetAtt": [
-                    "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
-                    "Arn"
-                  ]
-                },
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                }
-              ]
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
     "AnAmazingWebsiteProbably2CFDistribution7C1CCD12": {
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
 
@@ -2,67 +2,9 @@
   "Resources": {
     "MyDistLoggingBucket9B8976BC": {
       "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        }
-      },
       "UpdateReplacePolicy": "Retain",
       "DeletionPolicy": "Retain"
     },
-    "MyDistLoggingBucketPolicy847D8D11": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "MyDistLoggingBucket9B8976BC"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "s3:*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::GetAtt": [
-                    "MyDistLoggingBucket9B8976BC",
-                    "Arn"
-                  ]
-                },
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "MyDistLoggingBucket9B8976BC",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                }
-              ]
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
     "MyDistDB88FD9A": {
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
 
@@ -1051,6 +1051,37 @@ new ec2.Instance(this, 'Instance', {
 
 ```
 
+It is also possible to encrypt the block devices. In this example we will create an customer managed key encrypted EBS-backed root device:
+
+```ts
+import { Key } from '@aws-cdk/aws-kms';
+
+declare const vpc: ec2.Vpc;
+declare const instanceType: ec2.InstanceType;
+declare const machineImage: ec2.IMachineImage;
+
+const kmsKey = new Key(this, 'KmsKey')
+
+new ec2.Instance(this, 'Instance', {
+  vpc,
+  instanceType,
+  machineImage,
+
+  // ...
+
+  blockDevices: [
+    {
+      deviceName: '/dev/sda1',
+      volume: ec2.BlockDeviceVolume.ebs(50, {
+        encrypted: true,
+        kmsKey: kmsKey,
+      }),
+    },
+  ],
+});
+
+```
+
 ### Volumes
 
 Whereas a `BlockDeviceVolume` is an EBS volume that is created and destroyed as part of the creation and destruction of a specific instance. A `Volume` is for when you want an EBS volume separate from any particular instance. A `Volume` is an EBS block device that can be attached to, or detached from, any instance at any time. Some types of `Volume`s can also be attached to multiple instances at the same time to allow you to have shared storage between those instances.
 
@@ -24,8 +24,11 @@ function synthesizeBlockDeviceMappings<RT, NDT>(construct: Construct, blockDevic
   return blockDevices.map<RT>(({ deviceName, volume, mappingEnabled }): RT => {
     const { virtualName, ebsDevice: ebs } = volume;
 
+    let finalEbs: CfnLaunchTemplate.EbsProperty | CfnInstance.EbsProperty | undefined;
+
     if (ebs) {
-      const { iops, volumeType } = ebs;
+
+      const { iops, volumeType, kmsKey, ...rest } = ebs;
 
       if (!iops) {
         if (volumeType === EbsDeviceVolumeType.IO1) {
@@ -34,9 +37,25 @@ function synthesizeBlockDeviceMappings<RT, NDT>(construct: Construct, blockDevic
       } else if (volumeType !== EbsDeviceVolumeType.IO1) {
         Annotations.of(construct).addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
       }
+
+      /**
+       * Because the Ebs properties of the L2 Constructs do not match the Ebs properties of the Cfn Constructs,
+       * we have to do some transformation and handle all destructed properties
+       */
+
+      finalEbs = {
+        ...rest,
+        iops,
+        volumeType,
+        kmsKeyId: kmsKey?.keyArn,
+      };
+
+    } else {
+      finalEbs = undefined;
     }
 
+
     const noDevice = mappingEnabled === false ? noDeviceValue : undefined;
-    return { deviceName, ebs, virtualName, noDevice } as any;
+    return { deviceName, ebs: finalEbs, virtualName, noDevice } as any;
   });
 }
@@ -89,6 +89,17 @@ export interface EbsDeviceOptions extends EbsDeviceOptionsBase {
    * @default false
    */
   readonly encrypted?: boolean;
+
+  /**
+   * The ARN of the AWS Key Management Service (AWS KMS) CMK used for encryption.
+   *
+   * You have to ensure that the KMS CMK has the correct permissions to be used by the service launching the ec2 instances.
+   *
+   * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements
+   *
+   * @default - If encrypted is true, the default aws/ebs KMS key will be used.
+   */
+  readonly kmsKey?: IKey;
 }
 
 /**
@@ -108,7 +119,7 @@ export interface EbsDeviceSnapshotOptions extends EbsDeviceOptionsBase {
 /**
  * Properties of an EBS block device
  */
-export interface EbsDeviceProps extends EbsDeviceSnapshotOptions {
+export interface EbsDeviceProps extends EbsDeviceSnapshotOptions, EbsDeviceOptions {
   /**
    * The snapshot ID of the volume to use
    *
 
@@ -198,7 +198,6 @@ class S3Destination extends FlowLogDestination {
     if (this.props.s3Bucket === undefined) {
       s3Bucket = new s3.Bucket(scope, 'Bucket', {
         encryption: s3.BucketEncryption.UNENCRYPTED,
-        enforceSSL: true,
         removalPolicy: RemovalPolicy.RETAIN,
       });
     } else {
 
@@ -1,5 +1,6 @@
 import * as path from 'path';
 import { Match, Template } from '@aws-cdk/assertions';
+import { Key } from '@aws-cdk/aws-kms';
 import { Asset } from '@aws-cdk/aws-s3-assets';
 import { StringParameter } from '@aws-cdk/aws-ssm';
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
@@ -184,6 +185,7 @@ describe('instance', () => {
   describe('blockDeviceMappings', () => {
     test('can set blockDeviceMappings', () => {
       // WHEN
+      const kmsKey = new Key(stack, 'EbsKey');
       new Instance(stack, 'Instance', {
         vpc,
         machineImage: new AmazonLinuxImage(),
@@ -197,6 +199,16 @@ describe('instance', () => {
             volumeType: EbsDeviceVolumeType.IO1,
             iops: 5000,
           }),
+        }, {
+          deviceName: 'ebs-cmk',
+          mappingEnabled: true,
+          volume: BlockDeviceVolume.ebs(15, {
+            deleteOnTermination: true,
+            encrypted: true,
+            kmsKey: kmsKey,
+            volumeType: EbsDeviceVolumeType.IO1,
+            iops: 5000,
+          }),
         }, {
           deviceName: 'ebs-snapshot',
           mappingEnabled: false,
@@ -224,6 +236,22 @@ describe('instance', () => {
               VolumeType: 'io1',
             },
           },
+          {
+            DeviceName: 'ebs-cmk',
+            Ebs: {
+              DeleteOnTermination: true,
+              Encrypted: true,
+              KmsKeyId: {
+                'Fn::GetAtt': [
+                  'EbsKeyD3FEE551',
+                  'Arn',
+                ],
+              },
+              Iops: 5000,
+              VolumeSize: 15,
+              VolumeType: 'io1',
+            },
+          },
           {
             DeviceName: 'ebs-snapshot',
             Ebs: {
 
@@ -527,53 +527,6 @@
       "UpdateReplacePolicy": "Retain",
       "DeletionPolicy": "Retain"
     },
-    "VPCFlowLogsS3BucketPolicyB2C2A045": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "VPCFlowLogsS3BucketFB7DC2BE"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "s3:*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::GetAtt": [
-                    "VPCFlowLogsS3BucketFB7DC2BE",
-                    "Arn"
-                  ]
-                },
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "VPCFlowLogsS3BucketFB7DC2BE",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                }
-              ]
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
     "VPCFlowLogsS3FlowLogB5256CFF": {
       "Type": "AWS::EC2::FlowLog",
       "Properties": {