fix(sns): for SSE topics, add KMS permissions in grantPublish

Author: lightningboltemoji

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/SNSInteg.assets.json

@@ -27,6 +27,17 @@
         }
        },
        "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*"
+       ],
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "s3.amazonaws.com"
+       },
+       "Resource": "*"
       }
      ],
      "Version": "2012-10-17"
@@ -132,12 +143,6 @@
    "Type": "AWS::SNS::Topic",
    "Properties": {
     "DisplayName": "fooDisplayName2",
-    "KmsMasterKeyId": {
-     "Fn::GetAtt": [
-      "CustomKey1E6D0D07",
-      "Arn"
-     ]
-    },
     "TopicName": "fooTopic2"
    }
   },
@@ -166,8 +171,26 @@
       {
        "Action": "sns:Publish",
        "Effect": "Allow",
+       "Resource": [
+        {
+         "Ref": "MyTopic288CE2107"
+        },
+        {
+         "Ref": "MyTopic3134CFDFB"
+        }
+       ]
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*"
+       ],
+       "Effect": "Allow",
        "Resource": {
-        "Ref": "MyTopic288CE2107"
+        "Fn::GetAtt": [
+         "CustomKey1E6D0D07",
+         "Arn"
+        ]
        }
       }
      ],
@@ -180,6 +203,19 @@
      }
     ]
    }
+  },
+  "MyTopic3134CFDFB": {
+   "Type": "AWS::SNS::Topic",
+   "Properties": {
+    "DisplayName": "fooDisplayName3",
+    "KmsMasterKeyId": {
+     "Fn::GetAtt": [
+      "CustomKey1E6D0D07",
+      "Arn"
+     ]
+    },
+    "TopicName": "fooTopic3"
+   }
   }
  },
  "Parameters": {

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/SNSInteg.template.json

@@ -62,14 +62,32 @@ class SNSInteg extends Stack {
     const topic2 = new Topic(this, 'MyTopic2', {
       topicName: 'fooTopic2',
       displayName: 'fooDisplayName2',
-      masterKey: key,
     });
-    const importedTopic = Topic.fromTopicArn(this, 'ImportedTopic', topic2.topicArn);
+    const importedTopic2 = Topic.fromTopicArn(this, 'ImportedTopic2', topic2.topicArn);
 
     const publishRole = new Role(this, 'PublishRole', {
       assumedBy: new ServicePrincipal('s3.amazonaws.com'),
     });
-    importedTopic.grantPublish(publishRole);
+    importedTopic2.grantPublish(publishRole);
+
+    // Can import encrypted topic by attributes
+    const topic3 = new Topic(this, 'MyTopic3', {
+      topicName: 'fooTopic3',
+      displayName: 'fooDisplayName3',
+      masterKey: key,
+    });
+    const importedTopic3 = Topic.fromTopicAttributes(this, 'ImportedTopic3', {
+      topicArn: topic3.topicArn,
+      keyArn: key.keyArn,
+    });
+    importedTopic3.grantPublish(publishRole);
+
+    // Can reference KMS key after creation
+    topic3.masterKey!.addToResourcePolicy(new PolicyStatement({
+      principals: [new ServicePrincipal('s3.amazonaws.com')],
+      actions: ['kms:GenerateDataKey*', 'kms:Decrypt'],
+      resources: ['*'],
+    }));
   }
 }
 

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/cdk.out

@@ -5,6 +5,7 @@ import { ITopicSubscription } from './subscriber';
 import { Subscription } from './subscription';
 import * as notifications from '../../aws-codestarnotifications';
 import * as iam from '../../aws-iam';
+import { IKey } from '../../aws-kms';
 import { IResource, Resource, ResourceProps, Token } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 
@@ -26,6 +27,17 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget
    */
   readonly topicName: string;
 
+  /**
+   * A KMS Key, either managed by this CDK app, or imported.
+   *
+   * This property applies only to server-side encryption.
+   *
+   * @see https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
+   *
+   * @default None
+   */
+  readonly masterKey?: IKey;
+
   /**
    * Enables content-based deduplication for FIFO topics.
    *
@@ -73,6 +85,8 @@ export abstract class TopicBase extends Resource implements ITopic {
 
   public abstract readonly topicName: string;
 
+  public abstract readonly masterKey?: IKey;
+
   public abstract readonly fifo: boolean;
 
   public abstract readonly contentBasedDeduplication: boolean;
@@ -191,12 +205,16 @@ export abstract class TopicBase extends Resource implements ITopic {
    * Grant topic publishing permissions to the given identity
    */
   public grantPublish(grantee: iam.IGrantable) {
-    return iam.Grant.addToPrincipalOrResource({
+    const ret = iam.Grant.addToPrincipalOrResource({
       grantee,
       actions: ['sns:Publish'],
       resourceArns: [this.topicArn],
       resource: this,
     });
+    if (this.masterKey) {
+      this.masterKey.grant(grantee, 'kms:Decrypt', 'kms:GenerateDataKey*');
+    }
+    return ret;
   }
 
   /**

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/integ.json

@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { CfnTopic } from './sns.generated';
 import { ITopic, TopicBase } from './topic-base';
 import { IRole } from '../../aws-iam';
-import { IKey } from '../../aws-kms';
+import { IKey, Key } from '../../aws-kms';
 import { ArnFormat, Lazy, Names, Stack, Token } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
@@ -219,6 +219,13 @@ export interface TopicAttributes {
    */
   readonly topicArn: string;
 
+  /**
+   * KMS encryption key, if this topic is server-side encrypted by a KMS key.
+   *
+   * @default - None
+   */
+  readonly keyArn?: string;
+
   /**
    * Whether content-based deduplication is enabled.
    * Only applicable for FIFO topics.
@@ -261,6 +268,9 @@ export class Topic extends TopicBase {
     class Import extends TopicBase {
       public readonly topicArn = attrs.topicArn;
       public readonly topicName = topicName;
+      public readonly masterKey = attrs.keyArn
+        ? Key.fromKeyArn(this, 'Key', attrs.keyArn)
+        : undefined;
       public readonly fifo = fifo;
       public readonly contentBasedDeduplication = attrs.contentBasedDeduplication || false;
       protected autoCreatePolicy: boolean = false;
@@ -273,6 +283,7 @@ export class Topic extends TopicBase {
 
   public readonly topicArn: string;
   public readonly topicName: string;
+  public readonly masterKey?: IKey;
   public readonly contentBasedDeduplication: boolean;
   public readonly fifo: boolean;
 
@@ -357,6 +368,7 @@ export class Topic extends TopicBase {
       resource: this.physicalName,
     });
     this.topicName = this.getResourceNameAttribute(resource.attrTopicName);
+    this.masterKey = props.masterKey;
     this.fifo = props.fifo || false;
     this.contentBasedDeduplication = props.contentBasedDeduplication || false;
 

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/manifest.json

@@ -304,6 +304,38 @@ describe('Topic', () => {
     });
   });
 
+  test('give publishing permissions with masterKey', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const key = new kms.Key(stack, 'CustomKey');
+    const topic = new sns.Topic(stack, 'Topic', { masterKey: key });
+    const user = new iam.User(stack, 'User');
+
+    // WHEN
+    topic.grantPublish(user);
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+      'PolicyDocument': {
+        Version: '2012-10-17',
+        'Statement': [
+          {
+            'Action': 'sns:Publish',
+            'Effect': 'Allow',
+            'Resource': stack.resolve(topic.topicArn),
+          },
+          {
+            'Action': ['kms:Decrypt', 'kms:GenerateDataKey*'],
+            'Effect': 'Allow',
+            'Resource': {
+              'Fn::GetAtt': ['CustomKey1E6D0D07', 'Arn'],
+            },
+          },
+        ],
+      },
+    });
+  });
+
   test('give subscribing permissions', () => {
     // GIVEN
     const stack = new cdk.Stack();
@@ -544,6 +576,21 @@ describe('Topic', () => {
     })).toThrow(/Cannot import topic; contentBasedDeduplication is only available for FIFO SNS topics./);
   });
 
+  test('fromTopicAttributes keyArn', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const keyArn = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab';
+
+    // WHEN
+    const imported = sns.Topic.fromTopicAttributes(stack, 'Imported', {
+      topicArn: 'arn:aws:sns:*:123456789012:mytopic',
+      keyArn,
+    });
+
+    // THEN
+    expect(imported.masterKey?.keyArn).toEqual(keyArn);
+  });
+
   test('sets account for imported topic env', () => {
     // GIVEN
     const stack = new cdk.Stack();