Skip to content

Conversation

nicusX
Copy link
Contributor

@nicusX nicusX commented Aug 19, 2025

Purpose of the change

CFN template examples for CMK support

Copy link

@foxus foxus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nicusX, many thanks for your efforts here. Based on our offline discussions, I think we can further limit this policy suggested below.

"infrastructure.kinesisanalytics.amazonaws.com"
]
},
"Action": "kms:*",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"Action": "kms:*",
"Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:CreateGrant", ],

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated (just removing the trailing comma)

Copy link

@leekeiabstraction leekeiabstraction left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left comments on key policy

Comment on lines 64 to 88
- Sid: 'Allow Operator to use key for durable state via Managed Flink'
Effect: Allow
Principal:
AWS: !Ref OperatorUserArn
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKey'
Resource: '*'
Condition:
StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:ViaService': !Sub 'kinesisanalytics.${AWS::Region}.amazonaws.com'

- Sid: 'Allow Operator to use key for running state via Managed Flink'
Effect: Allow
Principal:
AWS: !Ref OperatorUserArn
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKeyWithoutPlaintext'
Resource: '*'
Condition:
StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:ViaService': !Sub 'kinesisanalytics.${AWS::Region}.amazonaws.com'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge these to become the following instead

            "Sid": "AllowOperatorToConfigureAppToUseKeyForApplicationState",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Application-account-ID:role/Operator"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "kms:ViaService": "kinesisanalytics.Aws-region.amazonaws.com"
                }
            }

Comment on lines 117 to 129
- Sid: 'Allow Managed Flink application to decrypt durable state storage'
Effect: Allow
Principal:
Service: 'kinesisanalytics.amazonaws.com'
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKey'
Resource: '*'
Condition:
StringEquals:
'aws:SourceArn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'aws:SourceAccount': !Ref 'AWS::AccountId'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to split this into the following for the time being as Source context is not provided during decrypt

        {
            "Sid": "AllowMSFServiceToGenerateDataKeyForDurableState",
            "Effect": "Allow",
            "Principal": {
                "Service": "kinesisanalytics.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "aws:SourceAccount": "Application-account-ID"
                }
            }
        },
        {
            "Sid": "AllowMSFServiceToDecryptForDurableState",
            "Effect": "Allow",
            "Principal": {
                "Service": "kinesisanalytics.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication"
                }
            }
        }

Effect: Allow
Principal:
Service:
- 'kinesisanalytics.amazonaws.com'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove 'kinesisanalytics.amazonaws.com' from here

@nicusX
Copy link
Contributor Author

nicusX commented Aug 22, 2025

@leekeiabstraction they key policy should be fixed now. Please triple-check

'aws:SourceArn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'aws:SourceAccount': !Ref 'AWS::AccountId'

- Sid: 'FIXME Allow Managed Flink application to generate data key for durable state storage'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a FIXME here.

StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'

- Sid: 'Allow Managed Flink application to decrypt running application storage'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Allow Managed Flink application to use key for running application storage

@nicusX
Copy link
Contributor Author

nicusX commented Aug 22, 2025

@leekeiabstraction fixed the two SIDs

@nicusX nicusX merged commit 8450f8b into aws-samples:main Aug 28, 2025
1 check passed
@nicusX nicusX deleted the cmk branch August 28, 2025 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants