(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket #28815

blimmer · 2024-01-22T20:44:41Z

Describe the feature

Currently, the AppStagingSythesizer always creates a KMS key to encrypt the staging bucket:

aws-cdk/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts

Lines 360 to 378 in 1b6be8b

    
           const key = this.createBucketKey(); 
        
           // Create the bucket once the dependencies have been created 
        
           const bucket = new s3.Bucket(this, bucketId, { 
        
             bucketName: stagingBucketName, 
        
             ...(this.autoDeleteStagingAssets ? { 
        
               removalPolicy: RemovalPolicy.DESTROY, 
        
               autoDeleteObjects: true, 
        
             } : { 
        
               removalPolicy: RemovalPolicy.RETAIN, 
        
             }), 
        
             encryption: s3.BucketEncryption.KMS, 
        
             encryptionKey: key, 
        
             // Many AWS account safety checkers will complain when buckets aren't versioned 
        
             versioned: true, 
        
             // Many AWS account safety checkers will complain when SSL isn't enforced 
        
             enforceSSL: true, 
        
           });

It would be nice if we could opt into using the SSE-S3 keys instead.

Use Case

I'd like to start making more frequent use of the AppStagingSynthesizer. However, by forcing the use of a custom KMS key, each app using this synthesizer incurs a $1/month fee for the key.

Proposed Solution

The DefaultStackSynthesizer does not specify an encryption key and, thus, uses the SSE-S3 managed key by default. It feels like AppStagingSynthesizer should do the same thing by default. IMO, the custom KMS key feels like it should be an opt-in behavior for those who want it.

Other Information

No response

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

2.122.0

Environment details (OS name and version, etc.)

MacOS

The text was updated successfully, but these errors were encountered:

moltar · 2024-01-22T22:43:41Z

Just discovered the same foot-gun after looking at the AWS bill. It also appears that AppStagingSythesizer orphans the keys even after the staging stack and all app stacks are entirely deleted. I've discovered > 20 keys after just a few days of iteration on a solution.

blimmer · 2024-01-22T22:45:12Z

Oh wow, yeah, definitely would want to put a DESTROY retention policy at the very least.

…et (#28903) Closes #28815. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2024-01-30T18:47:27Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…et (#28903) Closes #28815. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@msambol

…cryption` and note that we intend to default to `S3_MANAGED` in the future (#28978) ### Issue # (if applicable) Relates to #28815 ### Reason for this change The App Staging Synthesizer is great - I've moved to using it for most of my stacks. However, the current default uses a Customer-Managed KMS key, which costs $1/month. The default synthesizer bucket uses SSE-S3 encryption by default. This is nice because users do not incur additional fees for a KMS key. In my opinion, SSE-S3 is good enough for most people. If folks need additional security, they should opt-in to SSE-KMS, which they can do via the `stagingBucketEncryption` property @msambol introduced with #28903. ### Description of changes With guidance from @kaizencc [below](#28978 (comment)), this PR makes `stagingBucketEncryption` a required property, with a user-facing note that we intend to default to `S3_MANAGED` as the module is stablized. ### Description of how you validated changes Updated unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: `stagingBucketEncryption` property is now required. For existing apps, specify `BucketEncryption.KMS` to retain existing behavior. For new apps, choose the bucket encryption that makes most sense for your use case. `BucketEncryption.S3_MANAGED` is available and is intended to be the default when this module is stabilized. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@msambol

…cryption` and note that we intend to default to `S3_MANAGED` in the future (#28978) ### Issue # (if applicable) Relates to #28815 ### Reason for this change The App Staging Synthesizer is great - I've moved to using it for most of my stacks. However, the current default uses a Customer-Managed KMS key, which costs $1/month. The default synthesizer bucket uses SSE-S3 encryption by default. This is nice because users do not incur additional fees for a KMS key. In my opinion, SSE-S3 is good enough for most people. If folks need additional security, they should opt-in to SSE-KMS, which they can do via the `stagingBucketEncryption` property @msambol introduced with #28903. ### Description of changes With guidance from @kaizencc [below](#28978 (comment)), this PR makes `stagingBucketEncryption` a required property, with a user-facing note that we intend to default to `S3_MANAGED` as the module is stablized. ### Description of how you validated changes Updated unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: `stagingBucketEncryption` property is now required. For existing apps, specify `BucketEncryption.KMS` to retain existing behavior. For new apps, choose the bucket encryption that makes most sense for your use case. `BucketEncryption.S3_MANAGED` is available and is intended to be the default when this module is stabilized. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

blimmer added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 22, 2024

github-actions bot added the @aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package label Jan 22, 2024

pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024

msambol mentioned this issue Jan 28, 2024

feat(app-staging-synthesizer-alpha): encryption type for staging bucket #28903

Merged

msambol added a commit to msambol/aws-cdk that referenced this issue Jan 29, 2024

Merge branch 'main' into awsgh-28815

c315724

kaizencc added a commit to msambol/aws-cdk that referenced this issue Jan 30, 2024

Merge branch 'main' into awsgh-28815

c728a01

kaizencc added a commit to msambol/aws-cdk that referenced this issue Jan 30, 2024

Merge branch 'main' into awsgh-28815

de23887

mergify bot closed this as completed in #28903 Jan 30, 2024

github-actions bot mentioned this issue Feb 1, 2024

Monthly issue metrics report - Jan 2024 #28951

Closed

blimmer mentioned this issue Feb 4, 2024

feat(app-staging-synthesizer-alpha): require passing stagingBucketEncryption and note that we intend to default to S3_MANAGED in the future #28978

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket #28815

(app-staging-synthesizer-alpha): Allow using S3 Managed KMS Key for Bucket #28815

blimmer commented Jan 22, 2024

moltar commented Jan 22, 2024

blimmer commented Jan 22, 2024

github-actions bot commented Jan 30, 2024