aws · mergify · Nov 6, 2024 · May 14, 2024 · May 15, 2024 · May 15, 2024
diff --git a/packages/aws-cdk-lib/aws-synthetics/lib/canary.ts b/packages/aws-cdk-lib/aws-synthetics/lib/canary.ts
@@ -269,7 +269,7 @@ export interface CanaryProps {
    * Artifact encryption is only supported for canaries that use Synthetics runtime
    * version `syn-nodejs-puppeteer-3.3` or later.
    *
-   * @default - Artifacts are encrypted at rest using an AWS managed key
+   * @default - `ArtifactsEncryptionMode.KMS` is set if you specify `artifactS3KmsKey`, otherwise artifacts are encrypted at rest using an AWS managed key
    *
    * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_artifact_encryption.html
    */
@@ -669,37 +669,44 @@ export class Canary extends cdk.Resource implements ec2.IConnectable {
   }
 
   private createArtifactConfig(props: CanaryProps): CfnCanary.ArtifactConfigProperty | undefined {
-    if (!props.artifactS3EncryptionMode) {
+    if (!props.artifactS3EncryptionMode && !props.artifactS3KmsKey) {
       return undefined;
     }
 
     const isNodeRuntime = props.runtime.family === RuntimeFamily.NODEJS;
-    const isArtifactS3EncryptionModeDefined = !cdk.Token.isUnresolved(props.artifactS3EncryptionMode) && props.artifactS3EncryptionMode;
-    const isArtifactS3KmsKeyDefined = !cdk.Token.isUnresolved(props.artifactS3KmsKey) && props.artifactS3KmsKey;
 
     if (
-      isArtifactS3EncryptionModeDefined &&
-      props.artifactS3EncryptionMode !== ArtifactsEncryptionMode.KMS &&
-      isArtifactS3KmsKeyDefined
+      props.artifactS3EncryptionMode === ArtifactsEncryptionMode.S3_MANAGED &&
+      props.artifactS3KmsKey
     ) {
-      throw new Error('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS.');
+      throw new Error(`A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: ${props.artifactS3EncryptionMode}.`);
     }
 
     // Only check runtime family is Node.js because versions prior to `syn-nodejs-puppeteer-3.3` are deprecated and can no longer be configured.
-    if (!isNodeRuntime && isArtifactS3EncryptionModeDefined) {
+    if (!isNodeRuntime && props.artifactS3EncryptionMode) {
       throw new Error(`Artifact encryption is only supported for canaries that use Synthetics runtime version \`syn-nodejs-puppeteer-3.3\` or later, got \`${props.runtime.name}\`.`);
     }
 
     let encryptionKey: kms.IKey | undefined;
-    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS) {
-      encryptionKey = props.artifactS3KmsKey ?? new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
+    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS && !props.artifactS3KmsKey) {
+      encryptionKey = new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
+    } else {
+      encryptionKey = props.artifactS3KmsKey;
     }
 
     encryptionKey?.grantEncryptDecrypt(this.role);
 
+    let encryptionMode: ArtifactsEncryptionMode | undefined;
+
+    if (props.artifactS3KmsKey && !props.artifactS3EncryptionMode) {
+      encryptionMode = ArtifactsEncryptionMode.KMS;
+    } else {
+      encryptionMode = props.artifactS3EncryptionMode;
+    }
+
     return {
       s3Encryption: {
-        encryptionMode: props.artifactS3EncryptionMode,
+        encryptionMode,
         kmsKeyArn: encryptionKey?.keyArn,
       },
     };

diff --git a/packages/aws-cdk-lib/aws-synthetics/test/canary.test.ts b/packages/aws-cdk-lib/aws-synthetics/test/canary.test.ts
@@ -1031,6 +1031,32 @@ describe('artifact encryption test', () => {
     });
   });
 
+  test('No artifactS3EncryptionMode setting with a key is set to SSE_KMS', () => {
+    // GIVEN
+    const stack = new Stack();
+    const key = new kms.Key(stack, 'myKey');
+
+    // WHEN
+    new synthetics.Canary(stack, 'Canary', {
+      test: synthetics.Test.custom({
+        handler: 'index.handler',
+        code: synthetics.Code.fromInline('/* Synthetics handler code */'),
+      }),
+      runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_7_0,
+      artifactS3KmsKey: key,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Synthetics::Canary', {
+      ArtifactConfig: {
+        S3Encryption: {
+          EncryptionMode: 'SSE_KMS',
+          KmsKeyArn: stack.resolve(key.keyArn),
+        },
+      },
+    });
+  });
+
   test('SSE-S3 with a key throws', () => {
     const stack = new Stack();
     const key = new kms.Key(stack, 'myKey');
@@ -1045,7 +1071,7 @@ describe('artifact encryption test', () => {
         artifactS3EncryptionMode: synthetics.ArtifactsEncryptionMode.S3_MANAGED,
         artifactS3KmsKey: key,
       });
-    }).toThrow('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS.');
+    }).toThrow('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: SSE_S3.');
   });
 
   test('Artifact encryption for non-Node.js runtime throws an error', () => {