Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-iot-actions): SNS-Topic-Action missing master-key policies #24848

Open
cponfick opened this issue Mar 29, 2023 · 5 comments
Open

(aws-iot-actions): SNS-Topic-Action missing master-key policies #24848

cponfick opened this issue Mar 29, 2023 · 5 comments
Labels
@aws-cdk/aws-iot-actions effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3

Comments

@cponfick
Copy link
Contributor

Describe the bug

When creating an SNS topic action with a master-key the action does not work, because it does not have the permission to use the KMS-Key.

Expected Behavior

I would expect the action to work.

Current Behavior

It does not work, because of missing KMS-Key permissions.

Reproduction Steps

# kms_key

sns_topic = aws_sns.Topic(self, 'MyTopic', master_key=kms_key)
aws_iot_alpha.TopicRule(
          self,
          f'MyTopicRule',
          actions=[
              iot_actions.SnsTopicAction(
                  sns_topic,
                  message_format=iot_actions.SnsActionMessageFormat.RAW,
              )
          ],
          error_action=iot_actions.CloudWatchLogsAction(
              aws_logs.LogGroup(self, 'ErrorTopicRuleMyAction')
          ),
          sql=iot.IotSql.from_string_as_ver20160323(
              f'SELECT * FROM "$aws/events/presence/connected/#"'
          ),
      )

Possible Solution

I did not look into the source code yet, but I guess it should be possible to grant the required permissions to the sns topic action role.

The following is a workaround I currently use:

# kms_key
# iam_role

ksm_key.grant_encrypt_decrypt(iam_role)
sns_topic = aws_sns.Topic(self, 'MyTopic', master_key=kms_key)
aws_iot_alpha.TopicRule(
          self,
          f'MyTopicRule',
          actions=[
              iot_actions.SnsTopicAction(
                  sns_topic,
                  message_format=iot_actions.SnsActionMessageFormat.RAW,
                  role= iam_role
              )
          ],
          error_action=iot_actions.CloudWatchLogsAction(
              aws_logs.LogGroup(self, 'ErrorTopicRuleMyAction')
          ),
          sql=iot.IotSql.from_string_as_ver20160323(
              f'SELECT * FROM "$aws/events/presence/connected/#"'
          ),
      )

Additional Information/Context

No response

CDK CLI Version

2.70

Framework Version

No response

Node.js Version

16.15.0

OS

MacOS

Language

Python

Language Version

3.9

Other information

No response
@cponfick cponfick added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 29, 2023
@pahud
Copy link
Contributor

pahud commented Mar 29, 2023
edited
Loading

Hi

 iot_actions.SnsTopicAction(
                  sns_topic,
                  message_format=iot_actions.SnsActionMessageFormat.RAW,
                  role= iam_role
              )

I believe you need manually grant the read permission to the iam role before you are allowed to to that because SnsTopicAction has no idea if the sns_topic comes with a master key property.

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 29, 2023
@cponfick
Copy link
Contributor Author

cponfick commented Mar 29, 2023
edited
Loading

Hi

 iot_actions.SnsTopicAction(
                  sns_topic,
                  message_format=iot_actions.SnsActionMessageFormat.RAW,
                  role= iam_role
              )

I believe you need manually grant the read permission to the iam role before you are allowed to to that.

Yes, that's how I currently do it. But if no role is given I would expect that the grant happens automatically inside SnsTopicAction (on the generated role).

@cponfick
Copy link
Contributor Author

cponfick commented Mar 29, 2023
edited
Loading

@pahud
I guess this is not really a bug, but an inconsistency in how different grants work.

Looking at grantWrite of a s3 bucket. It is stated that it grants the required permission to encrypt the data. SnsTopicAction just calls grantPublish. This does not grant the permission to encrypt data. Maybe I am missing something, but this seems odd to me.

As a user I would expect that grantWrite and grantPublish would either both grant the required policies for encryption, or none would.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 29, 2023
@peterwoodworth
Copy link
Contributor

This is something that could be better handled by our codebase - it would be great if this could automatically detect the key on the Topic. We'd need to expose this on the Topic construct first, and then handle it appropriately after that, but it should be possible!

@peterwoodworth peterwoodworth added p2 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort labels May 1, 2023
@yamatatsu
Copy link
Contributor

I'll work on it.

@pahud pahud added p3 and removed p2 labels Jun 11, 2024
@lightningboltemoji lightningboltemoji mentioned this issue Jan 8, 2025
Merged
1 task
mergify bot pushed a commit that referenced this issue Feb 26, 2025
@lightningboltemoji
fix(sns): for SSE topics, add KMS permissions in grantPublish (#32794)
f1c0926 
### Issue # (if applicable)

Fixes #18387, #31012, #24848

Pre-requisite for #16271, #29511

### Reason for this change

For SNS topics with SSE enabled, the grants added by `grantPublish` are insufficient, since they don't include any KMS actions.

The SNS docs discuss what's required to publish to an encrypted topic [here](https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse) (`sns:Publish`, `kms:Decrypt`, `kms:GenerateKeyData*`).

### Description of changes

I used the SQS queue implementation as a reference, since it's configured similarly, etc.

* Have `Topic#grantPublish` grant `kms:Decrypt` + `kms:GenerateKeyData*`
  * This is least-privilege, but slightly inconsistent with SQS queues, which [need these same actions](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html) and use `grantEncryptDecrypt` (but I have no preference -- just let me know what's best)
* Exposes `masterKey` as a property of `ITopic` so callers can access it after creation
  * Enables [this](#16271 (comment)), for example, and in general makes it consistent with SQS queues

### Describe any new or updated permissions being added

(Discussed above)

### Description of how you validated changes

* Unit/integration tests
  * `yarn integ test/aws-sns/test/integ.sns.js --update-on-failed`

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iot-actions effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pahud @yamatatsu @peterwoodworth @cponfick