feat(kinesis): stream encryption with the Kinesis master key

Adds a `StreamEncryption` option to specify that encryption should be enabled and managed by Kinesis. Closes #751
aws · Mar 29, 2020 · 90e288d · 90e288d
1 parent 7485448
commit 90e288d
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts
@@ -201,7 +201,7 @@ export interface StreamProps {
    * If you choose KMS, you can specify a KMS key via `encryptionKey`. If
    * encryption key is not specified, a key will automatically be created.
    *
-   * @default Unencrypted
+   * @default StreamEncryption.UNENCRYPTED
    */
   readonly encryption?: StreamEncryption;
 
@@ -210,7 +210,7 @@ export interface StreamProps {
    *
    * The 'encryption' property must be set to "Kms".
    *
-   * @default If encryption is set to "Kms" and this property is undefined, a
+   * @default - If encryption is set to "KMS" and this property is undefined, a
    * new KMS key will be created and associated with this stream.
    */
   readonly encryptionKey?: kms.IKey;
@@ -306,6 +306,14 @@ export class Stream extends StreamBase {
       return { streamEncryption: undefined, encryptionKey: undefined };
     }
 
+    if (encryptionType === StreamEncryption.KINESIS_MANAGED) {
+      const encryption = { encryptionType: 'KMS', keyId: 'alias/aws/kinesis'};
+      return {
+        streamEncryption: encryption,
+        encryptionKey: undefined
+      };
+    }
+
     if (encryptionType === StreamEncryption.KMS) {
       const encryptionKey = props.encryptionKey || new kms.Key(this, 'Key', {
         description: `Created by ${this.node.path}`
@@ -336,4 +344,9 @@ export enum StreamEncryption {
    * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
    */
   KMS = 'KMS',
+
+  /**
+   * Server-side encryption with a master key managed by Amazon Kinesis
+   */
+  KINESIS_MANAGED = 'MANAGED'
 }
diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts
@@ -97,6 +97,33 @@ export = {
 
     test.done();
   },
+
+  'uses Kinesis master key if KINESIS_MANAGED encryption type is provided'(test: Test) {
+    const stack = new Stack();
+
+    new Stream(stack, 'MyStream', {
+      encryption: StreamEncryption.KINESIS_MANAGED
+    });
+
+    expect(stack).toMatch({
+      "Resources": {
+        "MyStream5C050E93": {
+          "Type": "AWS::Kinesis::Stream",
+          "Properties": {
+            "ShardCount": 1,
+            "RetentionPeriodHours": 24,
+            "StreamEncryption": {
+              "EncryptionType": "KMS",
+              "KeyId": "alias/aws/kinesis"
+            }
+          }
+        }
+      }
+    });
+
+    test.done();
+  },
+
   "auto-creates KMS key if encryption type is KMS but no key is provided"(test: Test) {
     const stack = new Stack();