[cli] deploy cannot specify S3 SSE for asset upload

[CaseyBurnsSv]

Reproduction Steps

1. cdk bootstrap with legacy bootstrap, provide kms key id as param
2. have a SCP setup that denies s3:PutObject if s3:x-amz-server-side-encryption is missing
3. create a CDK app that provisions a lambda asset
4. execute cdk deploy
5. deploy fails and receive Access Denied error

What did you expect to happen?

i expect CDK deploy to explicitly use the kms key i specified in the bootstrap when uploading assets.

What actually happened?

cdk deploy does not provide SSE and the deploy fails with Access Denied.
It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.

Environment

• CLI Version : 1.71.0
• Framework Version:
• Node.js Version: v12.16.1
• OS : Windows 10
• Language (Version): Python 3.8.5

Other

---

This is 🐛 Bug Report

[rix0rrr]

It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.

That is correct, it does rely on default encryption. It seems convenient and logical to me to separate the upload action from the encryption action, which we can easily do in this way.

Can you tell me why you need it to work differently?

[CaseyBurnsSv]

It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.

That is correct, it does rely on default encryption. It seems convenient and logical to me to separate the upload action from the encryption action, which we can easily do in this way.

Can you tell me why you need it to work differently?

I think it should be consistent with other AWS tooling like sam deploy and aws cloudformation deploy which allow the option of specifying the encryption config used by files uploaded to s3.

Without this option it may make CDK unusable in highly regulated financial services organizations like the one I work for.

[rix0rrr]

I probably just don't have enough domain knowledge here.

Can you explain to me why a default encryption setting on the bucket is not good enough to achieve your encryption at rest requirements?

[CaseyBurnsSv]

the issue is that we have organizational service control policies in place that Deny PutObject requests that do not explicitly specify the x-amz-server-side-encryption header. this is a security control that is commonly applied to enforce the use of encryption across an AWS Organization. relying on default s3 encryption does not specify the required headers.

we need the option of specifying the encryption method and key in the PutObject request sent by CDK.

for example the AWS CLI command aws cloudformation deploy allows us to specify this with the --kms-key-id parameter. and sam deploy provides the same parameter.