fix(scheduler-alpha): too many KMS permissions granted (#31923)

### Issue # (if applicable) Tracking #31785. ### Reason for this change When customer use a KMS Customer Managed Key (CMK) with the `Schedule` construct, the following permissions are added to the scheduler execution role: ``` 'kms:Decrypt', 'kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*' ``` However, upon testing, having only the `kms:Decrypt` permission is enough for the Schedule to invoke the target (Lambda Function as a target was used in the test.). ### Description of changes This PR removes the unneeded KMS permissions and updated integ test to verify that the schedule is still able to invoke the target. ### Description of how you validated changes Unit test and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- BREAKING CHANGE: Extra KMS permissions are removed from Schedule execution role when KMS key is passed to Schedule.
aws · Oct 28, 2024 · 06678a3 · 06678a3
1 parent a9d3b02
commit 06678a3
Show file tree

Hide file tree

Showing 10 changed files with 31,923 additions and 565 deletions.
diff --git a/packages/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts b/packages/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts
@@ -279,7 +279,7 @@ export class Schedule extends Resource implements ISchedule {
 
     this.key = props.key;
     if (this.key) {
-      this.key.grantEncryptDecrypt(targetConfig.role);
+      this.key.grantDecrypt(targetConfig.role);
     }
 
     this.retryPolicy = targetConfig.retryPolicy;