bucketNotificationDestination: SnsDestination does not give S3 service principal KMS access when Topic is encrypted under KMS key #29511
Labels
@aws-cdk/aws-s3
Related to Amazon S3
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p2
Describe the bug
In https://github.com/aws/aws-cdk/blob/v2.133.0/packages/aws-cdk-lib/aws-s3-notifications/lib/sns.ts, creating SnsDestination sets up topic access policy for S3 Service principal to publish to SNS topic.
But if topic has KMS key encryption, nothing is added and S3 cannot verify the notification destination configuration is valid.
Similar to what is done in SqsDestination https://github.com/aws/aws-cdk/blob/v2.133.0/packages/aws-cdk-lib/aws-s3-notifications/lib/sqs.ts#L27-L37
Expected Behavior
I was expecting the KMS key access to be given automatically when creating Sns notification destination.
Current Behavior
The SNS does not receive any notification as S3 is not able to verify destination is valid when SNS has KMS encryption.
Reproduction Steps
Creating an SNS topic using KSM encryption.
Creating an S3 bucket.
Adding SNS notification destination for S3 bucket events.
Possible Solution
Do similar as what is done in SqsDestination https://github.com/aws/aws-cdk/blob/v2.133.0/packages/aws-cdk-lib/aws-s3-notifications/lib/sqs.ts#L27-L37
Additional Information/Context
No response
CDK CLI Version
v2.133
Framework Version
No response
Node.js Version
18
OS
MacOS
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: