(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket

[blimmer]

Describe the feature

Currently, the AppStagingSythesizer always creates a KMS key to encrypt the staging bucket:

aws-cdk/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts

Lines 360 to 378 in 1b6be8b

	const key = this.createBucketKey();
	// Create the bucket once the dependencies have been created
	const bucket = new s3.Bucket(this, bucketId, {
	bucketName: stagingBucketName,
	...(this.autoDeleteStagingAssets ? {
	removalPolicy: RemovalPolicy.DESTROY,
	autoDeleteObjects: true,
	} : {
	removalPolicy: RemovalPolicy.RETAIN,
	}),
	encryption: s3.BucketEncryption.KMS,
	encryptionKey: key,
	// Many AWS account safety checkers will complain when buckets aren't versioned
	versioned: true,
	// Many AWS account safety checkers will complain when SSL isn't enforced
	enforceSSL: true,
	});

It would be nice if we could opt into using the SSE-S3 keys instead.

Use Case

I'd like to start making more frequent use of the AppStagingSynthesizer. However, by forcing the use of a custom KMS key, each app using this synthesizer incurs a $1/month fee for the key.

Proposed Solution

The DefaultStackSynthesizer does not specify an encryption key and, thus, uses the SSE-S3 managed key by default. It feels like AppStagingSynthesizer should do the same thing by default. IMO, the custom KMS key feels like it should be an opt-in behavior for those who want it.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.122.0

Environment details (OS name and version, etc.)

MacOS

[moltar]

Just discovered the same foot-gun after looking at the AWS bill. It also appears that AppStagingSythesizer orphans the keys even after the staging stack and all app stacks are entirely deleted. I've discovered > 20 keys after just a few days of iteration on a solution.

[blimmer]

Oh wow, yeah, definitely would want to put a DESTROY retention policy at the very least.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.