Adding back encryption context and updating CWL Log Group to use sepa…

…rate KMS Key in snapshot tests and README examples
aws · Aug 12, 2024 · 89a56ce · 89a56ce
1 parent b2dc0e9
commit 89a56ce
Show file tree

Hide file tree

Showing 7 changed files with 232 additions and 23 deletions.
diff --git a/...-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.js.snapshot/manifest.json b/...-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.js.snapshot/manifest.json
diff --git a/...state-machine-cmk-with-cwl-encryption.js.snapshot/stepfunctions-cmk-cwl-integ.assets.json b/...state-machine-cmk-with-cwl-encryption.js.snapshot/stepfunctions-cmk-cwl-integ.assets.json
diff --git a/...ate-machine-cmk-with-cwl-encryption.js.snapshot/stepfunctions-cmk-cwl-integ.template.json b/...ate-machine-cmk-with-cwl-encryption.js.snapshot/stepfunctions-cmk-cwl-integ.template.json
@@ -1,6 +1,6 @@
 {
  "Resources": {
-  "Key961B73FD": {
+  "StateMachineKey3DE756E3": {
    "Type": "AWS::KMS::Key",
    "Properties": {
     "KeyPolicy": {
@@ -95,6 +95,33 @@
         "kms:GenerateDataKey*",
         "kms:ReEncrypt*"
        ],
+       "Condition": {
+        "ArnEquals": {
+         "kms:EncryptionContext:aws:logs:arn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":logs:",
+            {
+             "Ref": "AWS::Region"
+            },
+            ":",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":log-group:",
+            {
+             "Ref": "MyLogGroup5C0DAD85"
+            }
+           ]
+          ]
+         }
+        }
+       },
        "Effect": "Allow",
        "Principal": {
         "Service": {
@@ -127,12 +154,60 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
+  "LogGroupKeyD49CF390": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "logs.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
   "MyLogGroup5C0DAD85": {
    "Type": "AWS::Logs::LogGroup",
    "Properties": {
     "KmsKeyId": {
      "Fn::GetAtt": [
-      "Key961B73FD",
+      "LogGroupKeyD49CF390",
       "Arn"
      ]
     },
@@ -197,7 +272,7 @@
      "KmsDataKeyReusePeriodSeconds": 75,
      "KmsKeyId": {
       "Fn::GetAtt": [
-       "Key961B73FD",
+       "StateMachineKey3DE756E3",
        "Arn"
       ]
      },

diff --git a/.../aws-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.js.snapshot/tree.json b/.../aws-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.js.snapshot/tree.json
diff --git a/...ramework-integ/test/aws-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.ts b/...ramework-integ/test/aws-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.ts
@@ -1,28 +1,37 @@
 import * as cdk from 'aws-cdk-lib';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
+import * as iam from 'aws-cdk-lib/aws-iam';
 import * as kms from 'aws-cdk-lib/aws-kms';
 import * as logs from 'aws-cdk-lib/aws-logs';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 
 class KMSStateMachine extends cdk.Stack {
   readonly stateMachine: sfn.StateMachine;
-  readonly kmsKey: kms.Key;
+  readonly stateMachineKmsKey: kms.Key;
+  readonly logGroupKmsKey: kms.Key;
   readonly logGroup: logs.LogGroup;
 
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-    this.kmsKey = new kms.Key(this, 'Key');
+    this.stateMachineKmsKey = new kms.Key(this, 'StateMachineKey');
+    this.logGroupKmsKey = new kms.Key(this, 'LogGroupKey');
+    /**
+     * We need to grant the service principal encrypt and decrypt permissions since passing
+     *  a KMS key when creating a LogGroup doesn't automatically grant the service principal encrypt/decrypt permissions
+     *  see: https://github.com/aws/aws-cdk/issues/28304
+     * */
+    this.logGroupKmsKey.grantEncryptDecrypt(new iam.ServicePrincipal('logs.amazonaws.com'));
     this.logGroup = new logs.LogGroup(this, 'MyLogGroup', {
       logGroupName: '/aws/vendedlogs/states/MyLogGroup',
-      encryptionKey: this.kmsKey,
+      encryptionKey: this.logGroupKmsKey,
     });
 
     this.stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKWithCWLEncryption', {
       stateMachineName: 'StateMachineWithCMKWithCWLEncryption',
       definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))),
       stateMachineType: sfn.StateMachineType.STANDARD,
-      kmsKey: this.kmsKey,
+      kmsKey: this.stateMachineKmsKey,
       kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
       enableEncryptedLogging: true,
       logs: {

diff --git a/packages/aws-cdk-lib/aws-stepfunctions/README.md b/packages/aws-cdk-lib/aws-stepfunctions/README.md
@@ -122,23 +122,32 @@ const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKEncryptionCo
 ```
 
 ### Creating a StateMachine with CWL Encryption using a Customer Managed Key,
-You can encrypt data sent to CloudWatch Logs. To use encrypted logging, you must set `enableEncryptedLogging` to `true` and provide the `logs?` prop:
+You can encrypt data sent to CloudWatch Logs. To use encrypted logging, you must set `enableEncryptedLogging` to `true` and provide the `logs?` prop.
 ```
-const kmsKey = new kms.Key(this, 'Key');
+const stateMachineKmsKey = new kms.Key(this, 'StateMachineKey');
+const logGroupKmsKey = new kms.Key(this, 'LogGroupKmsKey');
+
+/**
+     * We need to grant the service principal encrypt and decrypt permissions since passing
+     *  a KMS key when creating a LogGroup doesn't automatically grant the service principal encrypt/decrypt permissions
+     *  see: https://github.com/aws/aws-cdk/issues/28304
+     * 
+*/
+logGroupKmsKey.grantEncryptDecrypt(new iam.ServicePrincipal('logs.amazonaws.com'));
 const logGroup = new logs.LogGroup(this, 'MyLogGroup', {
   logGroupName: '/aws/vendedlogs/states/MyLogGroup',
-  encryptionKey: kmsKey,
+  encryptionKey: logGroupKmsKey,
 });
 
 const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKWithCWLEncryption', {
   stateMachineName: 'StateMachineWithCMKWithCWLEncryption',
   definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))),
   stateMachineType: sfn.StateMachineType.STANDARD,
-  kmsKey: this.kmsKey,
+  kmsKey: stateMachineKmsKey,
   kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
   enableEncryptedLogging: true,
   logs: {
-    destination: this.logGroup,
+    destination: logGroup,
     level: sfn.LogLevel.FATAL,
     includeExecutionData: false,
   },