Skip to content

Commit b971615

Browse files
clueleafclueleaf
authored
fix(s3): deprecate unencrypted encryption configuration for s3 bucket (#24770)
S3 now applies SSE-S3 by default if server side encryption is not configured. https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html This PR simply deprecates `UNENCRYPTED` configuration of `BucketEncryption`, and changes some docs because they do not seem precise anymore. Behavior of S3 bucket creation is not modified. Many other constructs create S3 buckets internally and updating all those related constructs will result in a huge impact. This PR also deprecates `TableEncryption.UNENCRYPTED` of AWS Glue and creates an S3 bucket with `S3_MANAGED` if table encryption is not specified. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent ac00c18 commit b971615

File tree

25 files changed

+334
-381
lines changed

25 files changed

+334
-381
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-cloudtrail/test/integ.cloudtrail-insight.ts

-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ const stack = new Stack(app, 'aws-cdk-cloudtrail-inshights-test');
1111
const cloudTrailPrincipal = new iam.ServicePrincipal('cloudtrail.amazonaws.com');
1212

1313
const Trailbucket = new s3.Bucket(stack, 'S3', {
14-
encryption: s3.BucketEncryption.UNENCRYPTED,
1514
removalPolicy: RemovalPolicy.DESTROY,
1615
autoDeleteObjects: true,
1716
});

packages/@aws-cdk/aws-glue/README.md

+1-2
Original file line numberDiff line numberDiff line change
@@ -317,8 +317,7 @@ new glue.Table(this, 'MyTable', {
317317

318318
You can enable encryption on a Table's data:
319319

320-
* `Unencrypted` - files are not encrypted. The default encryption setting.
321-
* [S3Managed](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) - Server side encryption (`SSE-S3`) with an Amazon S3-managed key.
320+
* [S3Managed](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) - (default) Server side encryption (`SSE-S3`) with an Amazon S3-managed key.
322321

323322
```ts
324323
declare const myDatabase: glue.Database;

packages/@aws-cdk/aws-glue/lib/table.ts

+6-8
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,6 @@ export interface ITable extends IResource {
4646
* @see https://docs.aws.amazon.com/athena/latest/ug/encryption.html
4747
*/
4848
export enum TableEncryption {
49-
UNENCRYPTED = 'Unencrypted',
50-
5149
/**
5250
* Server side encryption (SSE) with an Amazon S3-managed key.
5351
*
@@ -155,7 +153,7 @@ export interface TableProps {
155153
* If you choose `SSE-KMS`, you *can* provide an un-managed KMS key with `encryptionKey`.
156154
* If you choose `CSE-KMS`, you *must* provide an un-managed KMS key with `encryptionKey`.
157155
*
158-
* @default Unencrypted
156+
* @default BucketEncryption.S3_MANAGED
159157
*/
160158
readonly encryption?: TableEncryption;
161159

@@ -317,7 +315,7 @@ export class Table extends Resource implements ITable {
317315

318316
parameters: {
319317
'classification': props.dataFormat.classificationString?.value,
320-
'has_encrypted_data': this.encryption !== TableEncryption.UNENCRYPTED,
318+
'has_encrypted_data': true,
321319
'partition_filtering.enabled': props.enablePartitionFiltering,
322320
},
323321
storageDescriptor: {
@@ -505,19 +503,19 @@ const encryptionMappings = {
505503
[TableEncryption.S3_MANAGED]: s3.BucketEncryption.S3_MANAGED,
506504
[TableEncryption.KMS_MANAGED]: s3.BucketEncryption.KMS_MANAGED,
507505
[TableEncryption.KMS]: s3.BucketEncryption.KMS,
508-
[TableEncryption.CLIENT_SIDE_KMS]: s3.BucketEncryption.UNENCRYPTED,
509-
[TableEncryption.UNENCRYPTED]: s3.BucketEncryption.UNENCRYPTED,
506+
[TableEncryption.CLIENT_SIDE_KMS]: s3.BucketEncryption.S3_MANAGED,
510507
};
511508

512509
// create the bucket to store a table's data depending on the `encryption` and `encryptionKey` properties.
513510
function createBucket(table: Table, props: TableProps) {
514-
const encryption = props.encryption || TableEncryption.UNENCRYPTED;
515511
let bucket = props.bucket;
516512

517-
if (bucket && (encryption !== TableEncryption.UNENCRYPTED && encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
513+
if (bucket && (props.encryption !== undefined && props.encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
518514
throw new Error('you can not specify encryption settings if you also provide a bucket');
519515
}
520516

517+
const encryption = props.encryption || TableEncryption.S3_MANAGED;
518+
521519
let encryptionKey: kms.IKey | undefined;
522520
if (encryption === TableEncryption.CLIENT_SIDE_KMS && props.encryptionKey === undefined) {
523521
// CSE-KMS should behave the same as SSE-KMS - use the provided key or create one automatically

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476/index.js

-253
This file was deleted.

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/aws-cdk-glue.assets.json

+6-6
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,28 @@
11
{
2-
"version": "22.0.0",
2+
"version": "31.0.0",
33
"files": {
4-
"a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476": {
4+
"a9d3d4d1afa000946b9863b3e7578a5a5ad86d88274b3639938aa2baebf822ce": {
55
"source": {
6-
"path": "asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476",
6+
"path": "asset.a9d3d4d1afa000946b9863b3e7578a5a5ad86d88274b3639938aa2baebf822ce",
77
"packaging": "zip"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip",
12+
"objectKey": "a9d3d4d1afa000946b9863b3e7578a5a5ad86d88274b3639938aa2baebf822ce.zip",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}
1616
},
17-
"e43a42922d7ac464109c59d5a883fd281407fa597281cbf3b94ca94e895b0eea": {
17+
"790111570fe03be206fe881664d8736da4d6c7dfb6cf23527cbd3f45d34f1f99": {
1818
"source": {
1919
"path": "aws-cdk-glue.template.json",
2020
"packaging": "file"
2121
},
2222
"destinations": {
2323
"current_account-current_region": {
2424
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
25-
"objectKey": "e43a42922d7ac464109c59d5a883fd281407fa597281cbf3b94ca94e895b0eea.json",
25+
"objectKey": "790111570fe03be206fe881664d8736da4d6c7dfb6cf23527cbd3f45d34f1f99.json",
2626
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
2727
}
2828
}

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/aws-cdk-glue.template.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
"Name": "csv_table",
3131
"Parameters": {
3232
"classification": "csv",
33-
"has_encrypted_data": false
33+
"has_encrypted_data": true
3434
},
3535
"PartitionKeys": [
3636
{
@@ -352,7 +352,7 @@
352352
"S3Bucket": {
353353
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
354354
},
355-
"S3Key": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip"
355+
"S3Key": "a9d3d4d1afa000946b9863b3e7578a5a5ad86d88274b3639938aa2baebf822ce.zip"
356356
},
357357
"Role": {
358358
"Fn::GetAtt": [
@@ -383,7 +383,7 @@
383383
"Name": "json_table",
384384
"Parameters": {
385385
"classification": "json",
386-
"has_encrypted_data": false
386+
"has_encrypted_data": true
387387
},
388388
"PartitionKeys": [
389389
{

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/cdk.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"version":"22.0.0"}
1+
{"version":"31.0.0"}

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/integ.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "22.0.0",
2+
"version": "31.0.0",
33
"testCases": {
44
"integ.partition-index": {
55
"stacks": [

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/manifest.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "22.0.0",
2+
"version": "31.0.0",
33
"artifacts": {
44
"aws-cdk-glue.assets": {
55
"type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
1717
"validateOnSynth": false,
1818
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
1919
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e43a42922d7ac464109c59d5a883fd281407fa597281cbf3b94ca94e895b0eea.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/790111570fe03be206fe881664d8736da4d6c7dfb6cf23527cbd3f45d34f1f99.json",
2121
"requiresBootstrapStackVersion": 6,
2222
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2323
"additionalDependencies": [

packages/@aws-cdk/aws-glue/test/integ.partition-index.js.snapshot/tree.json

+30-30
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@
9090
],
9191
"parameters": {
9292
"classification": "csv",
93-
"has_encrypted_data": false
93+
"has_encrypted_data": true
9494
},
9595
"storageDescriptor": {
9696
"location": {
@@ -156,14 +156,14 @@
156156
"id": "Default",
157157
"path": "aws-cdk-glue/CSVTable/partition-index-index1/Resource/Default",
158158
"constructInfo": {
159-
"fqn": "@aws-cdk/core.CfnResource",
160-
"version": "0.0.0"
159+
"fqn": "constructs.Construct",
160+
"version": "10.1.270"
161161
}
162162
}
163163
},
164164
"constructInfo": {
165-
"fqn": "@aws-cdk/core.CustomResource",
166-
"version": "0.0.0"
165+
"fqn": "constructs.Construct",
166+
"version": "10.1.270"
167167
}
168168
},
169169
"CustomResourcePolicy": {
@@ -231,14 +231,14 @@
231231
"id": "Default",
232232
"path": "aws-cdk-glue/CSVTable/partition-index-index2/Resource/Default",
233233
"constructInfo": {
234-
"fqn": "@aws-cdk/core.CfnResource",
235-
"version": "0.0.0"
234+
"fqn": "constructs.Construct",
235+
"version": "10.1.270"
236236
}
237237
}
238238
},
239239
"constructInfo": {
240-
"fqn": "@aws-cdk/core.CustomResource",
241-
"version": "0.0.0"
240+
"fqn": "constructs.Construct",
241+
"version": "10.1.270"
242242
}
243243
},
244244
"CustomResourcePolicy": {
@@ -304,8 +304,8 @@
304304
"id": "ImportServiceRole",
305305
"path": "aws-cdk-glue/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/ImportServiceRole",
306306
"constructInfo": {
307-
"fqn": "@aws-cdk/core.Resource",
308-
"version": "0.0.0"
307+
"fqn": "constructs.Construct",
308+
"version": "10.1.270"
309309
}
310310
},
311311
"Resource": {
@@ -498,8 +498,8 @@
498498
"id": "Stage",
499499
"path": "aws-cdk-glue/AWS679f53fac002430cb0da5b7982bd2287/Code/Stage",
500500
"constructInfo": {
501-
"fqn": "@aws-cdk/core.AssetStaging",
502-
"version": "0.0.0"
501+
"fqn": "constructs.Construct",
502+
"version": "10.1.270"
503503
}
504504
},
505505
"AssetBucket": {
@@ -526,7 +526,7 @@
526526
"s3Bucket": {
527527
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
528528
},
529-
"s3Key": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip"
529+
"s3Key": "a9d3d4d1afa000946b9863b3e7578a5a5ad86d88274b3639938aa2baebf822ce.zip"
530530
},
531531
"role": {
532532
"Fn::GetAtt": [
@@ -581,7 +581,7 @@
581581
],
582582
"parameters": {
583583
"classification": "json",
584-
"has_encrypted_data": false
584+
"has_encrypted_data": true
585585
},
586586
"storageDescriptor": {
587587
"location": {
@@ -647,14 +647,14 @@
647647
"id": "Default",
648648
"path": "aws-cdk-glue/JSONTable/partition-index-year-month-awscdkglueJSONTable937C116B/Resource/Default",
649649
"constructInfo": {
650-
"fqn": "@aws-cdk/core.CfnResource",
651-
"version": "0.0.0"
650+
"fqn": "constructs.Construct",
651+
"version": "10.1.270"
652652
}
653653
}
654654
},
655655
"constructInfo": {
656-
"fqn": "@aws-cdk/core.CustomResource",
657-
"version": "0.0.0"
656+
"fqn": "constructs.Construct",
657+
"version": "10.1.270"
658658
}
659659
},
660660
"CustomResourcePolicy": {
@@ -712,44 +712,44 @@
712712
"id": "CatalogId",
713713
"path": "aws-cdk-glue/CatalogId",
714714
"constructInfo": {
715-
"fqn": "@aws-cdk/core.CfnOutput",
716-
"version": "0.0.0"
715+
"fqn": "constructs.Construct",
716+
"version": "10.1.270"
717717
}
718718
},
719719
"BootstrapVersion": {
720720
"id": "BootstrapVersion",
721721
"path": "aws-cdk-glue/BootstrapVersion",
722722
"constructInfo": {
723-
"fqn": "@aws-cdk/core.CfnParameter",
724-
"version": "0.0.0"
723+
"fqn": "constructs.Construct",
724+
"version": "10.1.270"
725725
}
726726
},
727727
"CheckBootstrapVersion": {
728728
"id": "CheckBootstrapVersion",
729729
"path": "aws-cdk-glue/CheckBootstrapVersion",
730730
"constructInfo": {
731-
"fqn": "@aws-cdk/core.CfnRule",
732-
"version": "0.0.0"
731+
"fqn": "constructs.Construct",
732+
"version": "10.1.270"
733733
}
734734
}
735735
},
736736
"constructInfo": {
737-
"fqn": "@aws-cdk/core.Stack",
738-
"version": "0.0.0"
737+
"fqn": "constructs.Construct",
738+
"version": "10.1.270"
739739
}
740740
},
741741
"Tree": {
742742
"id": "Tree",
743743
"path": "Tree",
744744
"constructInfo": {
745745
"fqn": "constructs.Construct",
746-
"version": "10.1.189"
746+
"version": "10.1.270"
747747
}
748748
}
749749
},
750750
"constructInfo": {
751-
"fqn": "@aws-cdk/core.App",
752-
"version": "0.0.0"
751+
"fqn": "constructs.Construct",
752+
"version": "10.1.270"
753753
}
754754
}
755755
}

packages/@aws-cdk/aws-glue/test/integ.partition-index.ts

+6-4
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ const partitionKeys = [{
3838
type: glue.Schema.BIG_INT,
3939
}];
4040

41-
new glue.Table(stack, 'CSVTable', {
41+
const csvTable = new glue.Table(stack, 'CSVTable', {
4242
database,
4343
bucket,
4444
tableName: 'csv_table',
@@ -47,13 +47,15 @@ new glue.Table(stack, 'CSVTable', {
4747
partitionIndexes: [{
4848
indexName: 'index1',
4949
keyNames: ['month'],
50-
}, {
51-
indexName: 'index2',
52-
keyNames: ['month', 'year'],
5350
}],
5451
dataFormat: glue.DataFormat.CSV,
5552
});
5653

54+
csvTable.addPartitionIndex({
55+
indexName: 'index2',
56+
keyNames: ['month', 'year'],
57+
});
58+
5759
const jsonTable = new glue.Table(stack, 'JSONTable', {
5860
database,
5961
bucket,

packages/@aws-cdk/aws-glue/test/integ.table.js.snapshot/aws-cdk-glue.assets.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
2-
"version": "20.0.0",
2+
"version": "31.0.0",
33
"files": {
4-
"eef5abdc0f1ee16e5be447f60688757df6726f3c2d1d06c136e9bbdb99d96e1f": {
4+
"1b05206385b50de7e074070a25b271988c0055f2fde760f5c119af3fef3a1bcb": {
55
"source": {
66
"path": "aws-cdk-glue.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "eef5abdc0f1ee16e5be447f60688757df6726f3c2d1d06c136e9bbdb99d96e1f.json",
12+
"objectKey": "1b05206385b50de7e074070a25b271988c0055f2fde760f5c119af3fef3a1bcb.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

0 commit comments

Comments
 (0)