Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(s3): Bucket Key cannot be used with KMS_MANAGED key #22331

Merged
merged 2 commits into from
Oct 4, 2022
Merged

fix(s3): Bucket Key cannot be used with KMS_MANAGED key #22331

merged 2 commits into from
Oct 4, 2022

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Oct 3, 2022

  • BucketEncryption.KMS means: bring your own key.
  • BucketEncryption.KMS_MANAGED means: use the AWS default key (which is free).

Bucket Key means "S3 uses a shadow key to reduce cost on encryption operations". It should apply to both KMS use cases, but was written to only apply to the BYOK scenario.

Also allow the other one.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix(s3): Bucket Key cannot be used with KMS_MANAGED key
e0eed5c 
- BucketEncryption.KMS means: bring your own key.
- BucketEncryption.KMS_MANAGED means: use the AWS default key (which is
  free).

Bucket Key means "S3 uses a shadow key to reduce cost on encryption
operations". It should apply to both KMS use cases, but was written to
only apply to the BYOK scenario.

Also allow the other one.
@rix0rrr rix0rrr requested a review from a team October 3, 2022 16:27
@rix0rrr rix0rrr self-assigned this Oct 3, 2022
@gitpod-io
Copy link

gitpod-io bot commented Oct 3, 2022

@github-actions github-actions bot added the p2 label Oct 3, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team October 3, 2022 16:27
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 3, 2022
@rix0rrr rix0rrr added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Oct 3, 2022
Naumel
Naumel approved these changes Oct 4, 2022
View reviewed changes
Copy link
Contributor

@Naumel Naumel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Naumel
Copy link
Contributor

Naumel commented Oct 4, 2022

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 4, 2022

update

✅ Branch has been successfully updated

@mergify
Copy link
Contributor

mergify bot commented Oct 4, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 58533d8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 63d3c54 into main Oct 4, 2022
@mergify mergify bot deleted the huijbers/kms-bucketkey branch October 4, 2022 09:47
@mergify
Copy link
Contributor

mergify bot commented Oct 4, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@alekasw
Copy link

alekasw commented Oct 6, 2022

Hi. Just upgraded to cdk 2.45.0 but when I cdk synth I still get the error:

bucketKeyEnabled is specified, so 'encryption' must be set to KMS (value: MANAGED)

arewa pushed a commit to arewa/aws-cdk that referenced this pull request Oct 8, 2022
@rix0rrr @arewa
fix(s3): Bucket Key cannot be used with KMS_MANAGED key (aws#22331)
0279fd0 
- BucketEncryption.KMS means: bring your own key.
- BucketEncryption.KMS_MANAGED means: use the AWS default key (which is free).

Bucket Key means "S3 uses a shadow key to reduce cost on encryption operations". It should apply to both KMS use cases, but was written to only apply to the BYOK scenario.

Also allow the other one.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this pull request Dec 1, 2022
@rix0rrr @madeline-k
fix(s3): Bucket Key cannot be used with KMS_MANAGED key (aws#22331)
e052605 
- BucketEncryption.KMS means: bring your own key.
- BucketEncryption.KMS_MANAGED means: use the AWS default key (which is free).

Bucket Key means "S3 uses a shadow key to reduce cost on encryption operations". It should apply to both KMS use cases, but was written to only apply to the BYOK scenario.

Also allow the other one.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Naumel Naumel Naumel approved these changes

Assignees

@rix0rrr rix0rrr

Labels
contribution/core This is a PR that came from AWS. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rix0rrr @Naumel @aws-cdk-automation @alekasw