AWS SNS CDK: Allow referencing managed KMS keys

[ll-michael]

Describe the feature

The CDK does not support referencing AWS managed KMS keys associated with SNS topics that have EnforceSSL set to true. This diverges from CDK behavior with S3, which allows referencing encryption keys that are associated with buckets with KMS encryption enabled.

Use Case

I would like to reference AWS managed SNS keys associated with SNS topics in the CDK. This allows for other CDK resources, such as iam policies, to reference the KMS key.

Proposed Solution

Add a property to CDK SNS topics to return the AWS managed KMS key.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.150.0

Environment details (OS name and version, etc.)

NA

[ashishdhingra]

@ll-michael Good morning. Thanks for opening the issue. If you refer construct props for Topic, it does support properties masterKey properties which maps to AWS::SNS::Topic KmsMasterKeyId property. Please check if this is the property you are looking for.

Thanks,
Ashish

[ll-michael]

Hello Anish,

While the S3 and SNS CDK both support passing iam keys to construct an item, the SNS CDK does not support referencing an encryption/master key as part of its properties after creation.

This behavior diverges from the S3 CDK, which supports referencing an S3 encryption key property.

Is there an SNS CDK property that allows referencing iam keys after creation?

Best,
Michael

[ashishdhingra]

The feature should perhaps expose a public readonly property named masterKey in Topic class.

Normally the L2 construct public properties are exposed based on the underlying return values specified in CloudFormation resource specification.

• For AWS::SNS::Topic, KmsMasterKeyId is not one of the return values.
• However, for AWS::S3::Bucket also doesn't document encryptionKey as one of the return values. This is possibly because it is more opinionated.

This feature needs to be discussed with the team.

@ll-michael Could you please elaborate your case for need of such property when the value for masterKey would have been defined in constructor properties from some configuration and already accessible?