Skip to content

s3: bucketKey should support SSE-S3 #30183

Closed
Closed
s3: bucketKey should support SSE-S3#30183
#30184 (+9)
Labels
@aws-cdk/aws-s3Related to Amazon S3bugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@pahud

Description

@pahud
pahud
opened on May 13, 2024

Describe the bug

bucketKeyEnabled not allowed when the encryption is SSE-S3.

aws-cdk/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts

Lines 577 to 587 in 65f2bd9

test('throws error if bucketKeyEnabled is set, but encryption is not KMS', () => {
const stack = new cdk.Stack();
expect(() => {
new s3.Bucket(stack, 'MyBucket', { bucketKeyEnabled: true, encryption: s3.BucketEncryption.S3_MANAGED });
}).toThrow("bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: S3_MANAGED)");
expect(() => {
new s3.Bucket(stack, 'MyBucket3', { bucketKeyEnabled: true });
}).toThrow("bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: UNENCRYPTED)");
});

But there's no document about this restriction and CloudFormation and console actually allow you to specify that.

image

Workaround:

    // create a s3 bucket with SSE
    const bucket = new s3.Bucket(this, 'Bucket', {
      encryption: s3.BucketEncryption.S3_MANAGED,
    });
    (bucket.node.defaultChild as s3.CfnBucket).addPropertyOverride('BucketEncryption.ServerSideEncryptionConfiguration.0.BucketKeyEnabled', true)

Expected Behavior

Allows BucketEncryption with SSE-S3.

Current Behavior

not allowed

Reproduction Steps

 const bucket = new s3.Bucket(this, 'Bucket', {
      encryption: s3.BucketEncryption.S3_MANAGED,
      bucketKeyEnabled: true,
    });

Possible Solution

fix the logic here

aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

Lines 2130 to 2136 in 65f2bd9

// if bucketKeyEnabled is set, encryption must be set to KMS or DSSE.
if (
props.bucketKeyEnabled &&
![BucketEncryption.KMS, BucketEncryption.KMS_MANAGED, BucketEncryption.DSSE, BucketEncryption.DSSE_MANAGED].includes(encryptionType)
) {
throw new Error(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`);
}

Additional Information/Context

No response

CDK CLI Version

v2.141.0

Framework Version

No response

Node.js Version

all

OS

all

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-s3Related to Amazon S3bugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions