Skip to content

CMK support #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 28, 2025
Merged

CMK support #137

merged 12 commits into from
Aug 28, 2025

Conversation

nicusX
Copy link
Contributor

@nicusX nicusX commented Aug 19, 2025

Purpose of the change

CFN template examples for CMK support

foxus
foxus suggested changes Aug 22, 2025
View reviewed changes
Copy link

@foxus foxus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nicusX, many thanks for your efforts here. Based on our offline discussions, I think we can further limit this policy suggested below.

infrastructure/CMK/README.md Outdated
"infrastructure.kinesisanalytics.amazonaws.com"
]
},
"Action": "kms:*",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"Action": "kms:*",
"Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:CreateGrant", ],

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated (just removing the trailing comma)

leekeiabstraction
leekeiabstraction reviewed Aug 22, 2025
View reviewed changes
Copy link

@leekeiabstraction leekeiabstraction left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left comments on key policy

infrastructure/CMK/msf-kms-key.yaml Outdated
Comment on lines 64 to 88
- Sid: 'Allow Operator to use key for durable state via Managed Flink'
Effect: Allow
Principal:
AWS: !Ref OperatorUserArn
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKey'
Resource: '*'
Condition:
StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:ViaService': !Sub 'kinesisanalytics.${AWS::Region}.amazonaws.com'

- Sid: 'Allow Operator to use key for running state via Managed Flink'
Effect: Allow
Principal:
AWS: !Ref OperatorUserArn
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKeyWithoutPlaintext'
Resource: '*'
Condition:
StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:ViaService': !Sub 'kinesisanalytics.${AWS::Region}.amazonaws.com'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge these to become the following instead

            "Sid": "AllowOperatorToConfigureAppToUseKeyForApplicationState",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Application-account-ID:role/Operator"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "kms:ViaService": "kinesisanalytics.Aws-region.amazonaws.com"
                }
            }

infrastructure/CMK/msf-kms-key.yaml Outdated
Comment on lines 117 to 129
- Sid: 'Allow Managed Flink application to decrypt durable state storage'
Effect: Allow
Principal:
Service: 'kinesisanalytics.amazonaws.com'
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKey'
Resource: '*'
Condition:
StringEquals:
'aws:SourceArn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'aws:SourceAccount': !Ref 'AWS::AccountId'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to split this into the following for the time being as Source context is not provided during decrypt

        {
            "Sid": "AllowMSFServiceToGenerateDataKeyForDurableState",
            "Effect": "Allow",
            "Principal": {
                "Service": "kinesisanalytics.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication",
                    "aws:SourceAccount": "Application-account-ID"
                }
            }
        },
        {
            "Sid": "AllowMSFServiceToDecryptForDurableState",
            "Effect": "Allow",
            "Principal": {
                "Service": "kinesisanalytics.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:kinesisanalytics:arn": 
                        "arn:aws:kinesisanalytics:Aws-region:Application-account-ID:application/MyCmkApplication"
                }
            }
        }

infrastructure/CMK/msf-kms-key.yaml Outdated
Effect: Allow
Principal:
Service:
- 'kinesisanalytics.amazonaws.com'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove 'kinesisanalytics.amazonaws.com' from here

@nicusX
Copy link
Contributor Author

nicusX commented Aug 22, 2025

@leekeiabstraction they key policy should be fixed now. Please triple-check

leekeiabstraction
leekeiabstraction reviewed Aug 22, 2025
View reviewed changes
infrastructure/CMK/msf-kms-key.yaml Outdated
'aws:SourceArn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'
'aws:SourceAccount': !Ref 'AWS::AccountId'

- Sid: 'FIXME Allow Managed Flink application to generate data key for durable state storage'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a FIXME here.

infrastructure/CMK/msf-kms-key.yaml Outdated
StringEquals:
'kms:EncryptionContext:aws:kinesisanalytics:arn': !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:application/${ApplicationName}'

- Sid: 'Allow Managed Flink application to decrypt running application storage'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Allow Managed Flink application to use key for running application storage

@nicusX
Copy link
Contributor Author

nicusX commented Aug 22, 2025

@leekeiabstraction fixed the two SIDs

@nicusX nicusX merged commit 8450f8b into aws-samples:main Aug 28, 2025
1 check passed
@nicusX nicusX deleted the cmk branch August 28, 2025 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@leekeiabstraction leekeiabstraction leekeiabstraction left review comments

@foxus foxus foxus requested changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nicusX @foxus @leekeiabstraction