fix(sns): for SSE topics, add KMS permissions in grantPublish

[lightningboltemoji]

Issue # (if applicable)

Fixes #18387, #31012, #24848

Pre-requisite for #16271, #29511

Reason for this change

For SNS topics with SSE enabled, the grants added by grantPublish are insufficient, since they don't include any KMS actions.

The SNS docs discuss what's required to publish to an encrypted topic here (sns:Publish, kms:Decrypt, kms:GenerateKeyData*).

Description of changes

I used the SQS queue implementation as a reference, since it's configured similarly, etc.

• Have Topic#grantPublish grant kms:Decrypt + kms:GenerateKeyData*
  • This is least-privilege, but slightly inconsistent with SQS queues, which need these same actions and use grantEncryptDecrypt (but I have no preference -- just let me know what's best)
• Exposes masterKey as a property of ITopic so callers can access it after creation
  • Enables this, for example, and in general makes it consistent with SQS queues

Describe any new or updated permissions being added

(Discussed above)

Description of how you validated changes

• Unit/integration tests
  • yarn integ test/aws-sns/test/integ.sns.js --update-on-failed

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[lpizzinidev]

Thanks 👍 Left comments for minor adjustments

[lpizzinidev]

Suggested change

	this.masterKey.grantEncryptDecrypt(grantee);
	this.masterKey.grant(grantee, 'kms:Decrypt', 'kms:GenerateDataKey*')

We should be fine without kms:Encrypt and kms:ReEncrypt.

[lightningboltemoji]

Sounds good, thanks!

[lpizzinidev]

Couldn't we import topic2 instead?

[lightningboltemoji]

Sorry, not sure I understand the suggestion, do you mean topic? I can try to provide some of my thinking here:

• The existing test is showing a non-functional example. importedTopic isn't aware there's a KMS key so grantPublish doesn't work.
• I unencrypted topic2, so that importing with fromTopicArn and calling grantPublish does work.
• That left me wanting to import an encrypted topic, so I created topic3 and used fromTopicAttributes, testing the same basic flow.

topic is encrypted and could be used for importing... it's just created up higher, and it felt like we'd moved on from it flow-wise.

I'm not totally sure what the norm is here, so your guidance is appreciated!

[lpizzinidev]

Thanks for clarifying 👍 Your implementation makes sense as is

[lpizzinidev]

👍

[lpizzinidev]

Thanks for clarifying 👍 Your implementation makes sense as is

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.83%. Comparing base (bc82f57) to head (41a5f94).
Report is 17 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32794   +/-   ##
=======================================
  Coverage   80.83%   80.83%           
=======================================
  Files         236      236           
  Lines       14253    14253           
  Branches     2490     2490           
=======================================
  Hits        11522    11522           
  Misses       2446     2446           
  Partials      285      285           

Flag	Coverage Δ
suite.unit	80.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.57% <ø> (ø)
packages/aws-cdk-lib/core	82.20% <ø> (ø)

Dismissing as this would require security review.

[GavinZZ]

I think the changes look good to me. I'll bring it up to the internal security team for review next week.

[GavinZZ]

An update on the security review: please wait patiently, I've raised this PR to the security engineer and pending an response from him.

[GavinZZ]

Setting this PR to changes requested to meet the security engineer's requirement to add assertion tests. @lightningboltemoji let me know if the comments make sense to you.

[GavinZZ]

Curious what is this code block for?

[lightningboltemoji]

What I meant by:

// Can reference KMS key after creation

is that referring to the topic's KMS key after topic creation is new functionality. This is testing that masterKey refers to the key we passed in, and that we're able to make changes to it.

[lightningboltemoji]

I switched this to a more generic unit test

[GavinZZ]

One of the security engineer's feedback is to test functionality instead of simply deployability. Can you use assertions to test publishing a message to the SNS topic to see if it will be successful? https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md#assertions

[lightningboltemoji]

OK. I'll explore that tonight.

[lightningboltemoji]

I added an integration test, but I had to use assertions.invokeFunction to accomplish it... I first tried to implement it along the lines of:

const publish = testCase.assertions.awsApiCall('sns', 'Publish', {
  TopicArn: ..., Message: ...
});

but I couldn't find a way to combine this with grantPublish (i.e. we can't access the role associated with this custom resource).

Let me know what you think.

[GavinZZ]

Awesome, this works as well!

Pull request has been modified.

[GavinZZ]

LGTM, approving this PR as assertions has been added which is the only requirement from Security guardian. Thank you for the patience and addressing the comments quickly!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a98a3d6
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.