Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

events: events.targets.SqsQueue with Custom KMS key grant too broad permission for a EventBridge rule to publish a message #30238

Open
2 tasks
argenstijn opened this issue May 16, 2024 · 5 comments
Open
2 tasks

events: events.targets.SqsQueue with Custom KMS key grant too broad permission for a EventBridge rule to publish a message #30238

argenstijn opened this issue May 16, 2024 · 5 comments
Labels
@aws-cdk/aws-events Related to CloudWatch Events effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@argenstijn
Copy link

argenstijn commented May 16, 2024
edited
Loading

Describe the feature

If you add a SQS Queue as target for a rule it should automatically grant rights for the rule to publish messages to the SQS.
But when the Queue is encrypted with custom KMS key it grant permission for the eventbridge to put events on the queue.
But the permission is totally different compared when you have a queue with managed KMS key or when the queue is not encrypted. Also it's not restrictive enough!. This should be the same!.

See below:

Permission with custom KMS key:

"Resource": "arn:aws:sqs:eu-west-1:xxxxxxxxxxxxxxxxxxx:yyyyyyyy",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "xxxxxxxxxxxxxxxxxxx"
}
}
}

Permission with managed KMS key or not encrypted at all:

"Resource": "arn:aws:sqs:eu-west-1:xxxxxxxxxxxxxxxxxxx:test",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:events:eu-west-1:xxxxxxxxxxxxxxxxxxx:rule/test-bus/test-rule"
}
}

Use Case

You should grant only the target rule permission to publish messages on the queue. No more no less!.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

v2.141.0

Environment details (OS name and version, etc.)

Linux
@argenstijn argenstijn added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 16, 2024
@github-actions github-actions bot added the @aws-cdk/aws-events Related to CloudWatch Events label May 16, 2024
@pahud
Copy link
Contributor

pahud commented May 16, 2024

Thank you for the report. Can you share some minimal code snippets that we can reproduce on our end?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 16, 2024
@argenstijn
Copy link
Author

This is strange. What i get in my orginal app is the following:

{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:eu-west-1:xxxxxxxxxxxxxxxxxxx:yyyyyyyy",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "xxxxxxxxxxxxxxxxxxx"
}
}
}

But in the reproducer it is all oke.

  "Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "sqs:GetQueueAttributes",
    "sqs:GetQueueUrl",
    "sqs:SendMessage"
  ],
  "Resource": "arn:aws:sqs:eu-west-1:xxxxxxxxxxxxxxxxxxx:test",
  "Condition": {
    "ArnEquals": {
      "aws:SourceArn": "arn:aws:events:eu-west-1:xxxxxxxxxxxxxxxxxxx:rule/test-bus/test-rule"
    }
  }
}

So it seems the permission are given. But in my orginal app it uses the SourceAccount instead of the arn of the rule.
Now to figure out why.

@argenstijn
Copy link
Author

I notice is that use a custom KMS key it uses "aws:SourceAccount": "xxxxxxxxxxxxxxxxxxx".

The event bridge has permission to use this KMS key. .......

@argenstijn
Copy link
Author

Any idea why this? When i use a default SQS key it all works but only when you use a custom KMS with enough permission it uses a SourceAccount in the condition

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 17, 2024
@argenstijn
Copy link
Author

argenstijn commented May 17, 2024
edited
Loading

See attachment to reproduce.

reproduce.zip

@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@argenstijn argenstijn changed the title events: events.targets.SqsQueue does not grant permission to SQS for a EventBridge rule to publish a message events: events.targets.SqsQueue with KMS key grant other permission for SQS for a EventBridge rule to publish a message May 21, 2024
@argenstijn argenstijn changed the title events: events.targets.SqsQueue with KMS key grant other permission for SQS for a EventBridge rule to publish a message events: events.targets.SqsQueue with Custom KMS key grant too broad permission for a EventBridge rule to publish a message May 21, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-events Related to CloudWatch Events effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@argenstijn @pahud