fix(s3): buckets with SSE-KMS silently fail to receive logs (#23385)

laurelmay · web-flow · commit 1b7a384c330d · 2022-12-22T00:00:28.000Z
AWS S3 Server Access Logging does not support logging to buckets that use SSE-KMS, only to buckets without default encryption or to buckets that use SSE-S3. At least in some cases, this misconfiguration can be caught within the CDK (when logging to the same bucket or when the target bucket is using a KMS CMK). This will still fail to catch scenarios where the target bucket is using SSE-KMS using a KMS-managed key because the `encryptionKey` property is not set on the Bucket in that scenario. This may be a breaking change for some users; what is currently a mostly silent misconfiguration will become an error when synthesizing. ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -2044,6 +2044,17 @@ export class Bucket extends BucketBase {
     if (!props.serverAccessLogsBucket && !props.serverAccessLogsPrefix) {
       return undefined;
     }
+    if (
+      // The current bucket is being used and is configured for default SSE-KMS
+      !props.serverAccessLogsBucket && (
+        props.encryptionKey ||
+        props.encryption === BucketEncryption.KMS ||
+        props.encryption === BucketEncryption.KMS_MANAGED) ||
+      // Another bucket is being used that is configured for default SSE-KMS
+      props.serverAccessLogsBucket?.encryptionKey
+    ) {
+      throw new Error('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
+    }
 
     return {
       destinationBucketName: props.serverAccessLogsBucket?.bucketName,
diff --git a/packages/@aws-cdk/aws-s3/test/bucket.test.ts b/packages/@aws-cdk/aws-s3/test/bucket.test.ts
@@ -337,6 +337,28 @@ describe('bucket', () => {
 
   });
 
+  test('throws error if using KMS-Managed key and server access logging to self', () => {
+    const stack = new cdk.Stack();
+    expect(() => {
+      new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS_MANAGED, serverAccessLogsPrefix: 'test' });
+    }).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
+  });
+  test('throws error if using KMS CMK and server access logging to self', () => {
+    const stack = new cdk.Stack();
+    const key = new kms.Key(stack, 'TestKey');
+    expect(() => {
+      new s3.Bucket(stack, 'MyBucket', { encryptionKey: key, serverAccessLogsPrefix: 'test' });
+    }).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
+  });
+  test('throws error if enabling server access logging to bucket with SSE-KMS', () => {
+    const stack = new cdk.Stack();
+    const key = new kms.Key(stack, 'TestKey');
+    const targetBucket = new s3.Bucket(stack, 'TargetBucket', { encryptionKey: key } );
+    expect(() => {
+      new s3.Bucket(stack, 'MyBucket', { serverAccessLogsBucket: targetBucket });
+    }).toThrow('SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets');
+  });
+
   test('bucket with versioning turned on', () => {
     const stack = new cdk.Stack();
     new s3.Bucket(stack, 'MyBucket', {
