Describe the feature
The kmsKeyArn property of FileAssetLocation was marked as deprecated with the rollout of Bootstrap v4 because was considered unnecessary with the new Key Policy which allows the use of the key to any identity who has access to the staging S3 objects. However, this property is required when a custom synthesizer is needed to increase the level of security since the Key Policy using kms:ViaService removes the additional protection given by KMS CMK keys.
Use Case
We have a security requirement to always use KMS CMK to secure our buckets to add additional layers of security in cases where permissions are inappropriately scoped within the account (e.g. s3:*). For this, we can't use the staging bucket created by the CDKToolkit stack because it uses by default an AWS KMS managed key with a Key Policy using kms:ViaService.
To solve this problem we created a custom synthesizer that returns a special FileAssetLocation when addFileAsset(...) is invoked, which contains a compliant Bucket and KMS CMK.
However, in CDK v2 the kmsKeyArn was removed (because it was marked as deprecated in v1), breaking our use case because Asset instances can't receive the expected KMS Arn, causing access denied errors when an application attempts to use assets like in BucketDeployment Source.asset(...). The workaround is to manually add the missing KMS permissions to the roles used by the applications requiring these assets, but this is a bad experience for the developers.
Proposed Solution
Remove kmsKeyArn from deprecated_apis.txt and remove the @deprecated flag.
Other Information
No response
Acknowledgements
CDK version used
2.15.0
Environment details (OS name and version, etc.)
Amazon Linux 2
Describe the feature
The
kmsKeyArnproperty ofFileAssetLocationwas marked as deprecated with the rollout of Bootstrap v4 because was considered unnecessary with the new Key Policy which allows the use of the key to any identity who has access to the staging S3 objects. However, this property is required when a custom synthesizer is needed to increase the level of security since the Key Policy usingkms:ViaServiceremoves the additional protection given by KMS CMK keys.Use Case
We have a security requirement to always use KMS CMK to secure our buckets to add additional layers of security in cases where permissions are inappropriately scoped within the account (e.g. s3:*). For this, we can't use the staging bucket created by the CDKToolkit stack because it uses by default an AWS KMS managed key with a Key Policy using
kms:ViaService.To solve this problem we created a custom synthesizer that returns a special
FileAssetLocationwhenaddFileAsset(...)is invoked, which contains a compliant Bucket and KMS CMK.However, in CDK v2 the
kmsKeyArnwas removed (because it was marked as deprecated in v1), breaking our use case becauseAssetinstances can't receive the expected KMS Arn, causing access denied errors when an application attempts to use assets like in BucketDeployment Source.asset(...). The workaround is to manually add the missing KMS permissions to the roles used by the applications requiring these assets, but this is a bad experience for the developers.Proposed Solution
Remove
kmsKeyArnfrom deprecated_apis.txt and remove the @deprecated flag.Other Information
No response
Acknowledgements
CDK version used
2.15.0
Environment details (OS name and version, etc.)
Amazon Linux 2