Skip to content

fix(events-targets): kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations#31836

Merged
mergify[bot] merged 4 commits intoaws:mainfrom
xazhao:event_rule_missing_kms_permissions
Oct 23, 2024
Merged

fix(events-targets): kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations#31836
mergify[bot] merged 4 commits intoaws:mainfrom
xazhao:event_rule_missing_kms_permissions

Conversation

@xazhao
Copy link
Copy Markdown
Contributor

@xazhao xazhao commented Oct 21, 2024
edited
Loading

Issue # (if applicable)

Closes #10996.

Reason for this change

When a Kinesis Stream is encrypted with a custom managed KMS key, CDK will generate a KMS key for the Kinesis Stream.

stream = new kinesis.Stream(stack, 'MyStream', {
  encryption: kinesis.StreamEncryption.KMS,
});

If it is used as a events target, CDK will provide permissions to the role of target so it can write to the kinesis stream:

{
     Action: ['kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}

If the kinesis is not encrypted with the customer managed kms key, these permissions will be sufficient. However, since the kinesis is encrypted with the the customer managed kms key, the invocation will fail because events doesn't have the permissions to the KMS key.

Actually there's already grantWrite() method to grant sufficient permissions in this case. When a customer managed KMS key is used, it will generate extra policies for the key. We should use it.

aws-cdk/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts

Line 355 in 366b492

public grantWrite(grantee: iam.IGrantable) {

Difference:

these permissions will be added to the event

{
     Action: ['kinesis:ListShards(new permission)', 'kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}

these permissions will be added to the event if the target kinesis stream is using a customer managed KMS key

{
    Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'],
    Effect: 'Allow',
    Resource: streamKeyArn,
},

Description of changes

Use the existing grantWrite() method instead of manipulating IAM policies directly.

Description of how you validated changes

unit tests/integration tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Oct 21, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 21, 2024 18:42
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 21, 2024
@xazhao xazhao added SECURITY pr/do-not-merge This PR should not be merged at this time. labels Oct 21, 2024
@xazhao xazhao marked this pull request as ready for review October 21, 2024 22:04
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 21, 2024
@QuantumNeuralCoder QuantumNeuralCoder added needs-security-review Related to feature or issues that needs security review and removed SECURITY labels Oct 21, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 22, 2024
@xazhao xazhao removed the pr/do-not-merge This PR should not be merged at this time. label Oct 23, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Oct 23, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: c85a454
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 58dfda0 into aws:main Oct 23, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 23, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@GavinZZ GavinZZ GavinZZ approved these changes

@moelasmar moelasmar moelasmar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort needs-security-review Related to feature or issues that needs security review p1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aws-events-targets] Kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations

5 participants

@xazhao @aws-cdk-automation @GavinZZ @moelasmar @QuantumNeuralCoder