feat(s3tables): server-side encryption by customer managed KMS key

[badmintoncryer]

Issue # (if applicable)

None

Reason for this change

AWS S3 Tables supports for server side encryption by customer managed KMS keys.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-encryption.html

And cloudformation have supported for this feature.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3tables-tablebucket-encryptionconfiguration.html

Description of changes

• Add kmsKey prop to TableBucketProps
• Add kms key resource policy which enables S3 Tables to execute automatic table maintenance
  • https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html

Describe any new or updated permissions being added

Add resource policy to the kms key.

// add resource policy to the encryption key
    // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions
    props?.kmsKey?.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
        resources: ['*'],
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')],
        conditions: {
          StringLike: {
            'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({
              service: 's3tables',
              resource: 'bucket',
              resourceName: props.tableBucketName,
            })}/*`,
          },
        },
      }),
    );

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[badmintoncryer]

While the documentation specifies using the KMS Key ARN as resource section, I am using a wildcard (*) for the following reasons:

• Specifying kmsKey.keyArn as the resource would create a circular reference
• In resource policies, using a wildcard (*) or specifying the key ARN has the same effect
  • In a key policy, the value of the Resource element is "*", which means "this KMS key." The asterisk ("*") identifies the KMS key to which the key policy is attached.
  • https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[QuantumNeuralCoder]

Can you run the security-guardian tool locally? I am sure it will complain :). Refer README.

[badmintoncryer]

This is the execution result. Is it OK?

❯ yarn security-guardian
yarn run v1.22.21
$ ts-node src/index.ts --rule_set_path=./rules
Created working directory: ./changed_templates
Detecting changed .template.json files from origin/main to HEAD
[command]/opt/homebrew/bin/git diff --name-status origin/main HEAD
M       packages/@aws-cdk/aws-s3tables-alpha/README.md
M       packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts
M       packages/@aws-cdk/aws-s3tables-alpha/rosetta/default.ts-fixture
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/cdk.out
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/integ.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.assets.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.template.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.assets.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/manifest.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/tree.json
A       packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.ts
M       packages/@aws-cdk/aws-s3tables-alpha/test/table-bucket.test.ts
[command]/opt/homebrew/bin/git rev-parse --show-toplevel
/Users/kazuhoshinozuka/git/aws-cdk
fullpath: /Users/kazuhoshinozuka/git/aws-cdk/packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.template.json
Copied: packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.template.json
[command]/opt/homebrew/bin/git rev-parse --show-toplevel
/Users/kazuhoshinozuka/git/aws-cdk
fullpath: /Users/kazuhoshinozuka/git/aws-cdk/packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json
Copied: packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json
Running cfn-guard with rule set: ./rules
[command]/opt/homebrew/bin/cfn-guard validate --data ./changed_templates --rules ./rules --show-summary fail --output-format json
{
  "name": "/Users/kazuhoshinozuka/git/aws-cdk/tools/@aws-cdk/security-guardian/changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kms-key-s3tables-stack.template.json",
  "metadata": {},
  "status": "SKIP",
  "not_compliant": [],
  "not_applicable": [
    "IAM_ROLE_NO_BROAD_PRINCIPALS"
  ],
  "compliant": []
}{
  "name": "/Users/kazuhoshinozuka/git/aws-cdk/tools/@aws-cdk/security-guardian/changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json",
  "metadata": {},
  "status": "SKIP",
  "not_compliant": [],
  "not_applicable": [
    "IAM_ROLE_NO_BROAD_PRINCIPALS"
  ],
  "compliant": []
}Running scanner for intrinsics
Scanning JSON files in: ./changed_templates
Processing: changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kms-key-s3tables-stack.template.json
Match found in: changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kms-key-s3tables-stack.template.json (statements: 1)
Processing: changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json
detailed_output File: changed_templates/packages_@aws-cdk_aws-s3tables-alpha_test_integration_integ.table-bucket-kms-key.js.snapshot_kms-key-s3tables-stack.template.json
{
  "Action": "kms:*",
  "Effect": "Allow",
  "Principal": {
    "AWS": {
      "Fn::Join": [
        "",
        [
          "arn:",
          {
            "Ref": "AWS::Partition"
          },
          ":iam::",
          {
            "Ref": "AWS::AccountId"
          },
          ":root"
        ]
      ]
    }
  },
  "Resource": "*"
} |n| ============================================================

 Scan complete!
 Files scanned : 2
 Matches found : 1
::warning::Intrinsic scan found 1 issue(s).

::set-output name=issues_found::1
::error::Action completed with issues: Intrinsic scan found 1 issue(s).
Removed working directory: ./changed_templates
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

[QuantumNeuralCoder]

Yes. The results are fine.

[QuantumNeuralCoder]

Noting the kms* pattern also caught by security guardian. Approving this.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 882f81b
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[godwingrs22]

Hi @badmintoncryer,

First of all, thank you for taking the time to contribute to this feature. We truly value community contributions and the effort you put into implementing this feature.

I need to revert this PR as there was a parallel implementation #34281 being developed by the service team that includes some additional internal considerations. I apologize for not catching this overlap earlier in the review process.

Thanks for your understanding!