stackoom
  简体   繁体   中英

AWS CDK grant decrypt permission to Kinesis Data Stream's AWS managed CMK

 原文  2023-01-26 08:41:07       amazon-web-services/ aws-cdk/ amazon-kinesis/ amazon-kms

Question

I'm provisioning Kinesis Data Stream with AWS managed KMS key as well as Delivery Stream reading from stream. There's a problem on how to add decrypt policy on delivery stream role for managed key. The code is showing below and the issue is that getting key with 'aws/kinesis' alias doesn't work unless I have a way to add dependency to 'kinesisStream' resource. But there's no 'addDependsOn' method in IKey-interface. How can I ensure that Stream (and it's managed KMS key) is created before I try to fetch that key?

const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
  streamName: `my-stream`,
  shardCount: 1,
  encryption: kinesis.StreamEncryption.MANAGED,
  retentionPeriod: cdk.Duration.days(1),
});

const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
  assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});

// How to add dependency to kinesisStream resource to ensure it's created before trying to fetch KMS key using 'fromLookup'?
// Now getting:
// [Error at /my-stack] Could not find any key with alias named aws/kinesis
const managedKinesisKmsKey = kms.Key.fromLookup(this, 'managedKinesisKmsKey', {
  aliasName: 'aws/kinesis',
});

const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
    roles: [kinesisStreamRole],
    statements: [
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: [managedKinesisKmsKey.keyArn],
            actions: ['kms:Decrypt'],
        }),
    ],
});

2 answers

solution1
 1 ACCPTED  2023-01-26 11:59:14

You can use the key alias to grant the access to this AWS managed key. We know that the alias for Kinesis service specific AWS managed key is "aws/kinesis".

AWS developer guide for using aliases to control access to KMS keys: https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html

solution2
 1  2023-01-26 12:10:59

Working solution

const kinesisStream = new kinesis.Stream(this, 'kinesisStream', {
    streamName: `my-stream`, 
    shardCount: 1, 
    encryption: kinesis.StreamEncryption.MANAGED, 
    retentionPeriod: cdk.Duration.days(1),
});

const kinesisStreamRole = new iam.Role(this, 'kinesisStreamRole', {
    assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
});

const managedKinesisKmsKeyPolicy = new iam.Policy(this, 'managedKinesisKmsKeyPolicy', {
    roles: [kinesisStreamRole],
    statements: [
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: ['*'],
            actions: ['kms:Decrypt'],
            conditions: {
                StringLike: {
                    'kms:RequestAlias': 'aws/kinesis',
                },
            },
        }),
    ],
});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Create delivery stream (Firehose) from data stream (Kinesis) to OpenSearch AWS Adding managed policy aws with cdk Give AWS Lambda an AWS Managed Policy with CDK Sending data to AWS Kinesis stream cross-accounts with Lambda AWS KMS: What's the difference between CMK and key material? AWS Kinesis Data Firehose and Lambda Make DynamoDB table a consumer for Kinesis Data Stream using CDK How to enable managed response header policy of SecurityHeaders with CloudFrontWebDistribution in AWS CDK? Not able to grant lambda read access to Secrets manager AWS CDK GoLang Does AWS Kinesis Firehose stream overrides a LOCK on table
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM