feat(sns): add sns service trust to keys for encrypted queue subscriptions (#14960)

Add SNS service trust to KMS key when creating an SNS subscription for an encrypted SQS queue.

Closes #2504
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rrhodes

packages/@aws-cdk/aws-sns-subscriptions/README.md

@@ -65,6 +65,9 @@ const myQueue = new sqs.Queue(this, 'MyQueue');
 myTopic.addSubscription(new subscriptions.SqsSubscription(queue));
 ```
 
+KMS key permissions will automatically be granted to SNS when a subscription is made to
+an encrypted queue.
+
 Note that subscriptions of queues in different accounts need to be manually confirmed by
 reading the initial message from the queue and visiting the link found in it.
 

packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts

@@ -38,18 +38,29 @@ export class SqsSubscription implements sns.ITopicSubscription {
     if (!Construct.isConstruct(this.queue)) {
       throw new Error('The supplied Queue object must be an instance of Construct');
     }
+    const snsServicePrincipal = new iam.ServicePrincipal('sns.amazonaws.com');
 
     // add a statement to the queue resource policy which allows this topic
     // to send messages to the queue.
     this.queue.addToResourcePolicy(new iam.PolicyStatement({
       resources: [this.queue.queueArn],
       actions: ['sqs:SendMessage'],
-      principals: [new iam.ServicePrincipal('sns.amazonaws.com')],
+      principals: [snsServicePrincipal],
       conditions: {
         ArnEquals: { 'aws:SourceArn': topic.topicArn },
       },
     }));
 
+    // if the queue is encrypted, add a statement to the key resource policy
+    // which allows this topic to decrypt KMS keys
+    if (this.queue.encryptionMasterKey) {
+      this.queue.encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement({
+        resources: ['*'],
+        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
+        principals: [snsServicePrincipal],
+      }));
+    }
+
     return {
       subscriberScope: this.queue,
       subscriberId: Names.nodeUniqueId(topic.node),

packages/@aws-cdk/aws-sns-subscriptions/package.json

@@ -74,6 +74,7 @@
   },
   "dependencies": {
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",
@@ -83,6 +84,7 @@
   "homepage": "https://github.com/aws/aws-cdk",
   "peerDependencies": {
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",

packages/@aws-cdk/aws-sns-subscriptions/test/subs.test.ts

@@ -1,8 +1,9 @@
 import '@aws-cdk/assert-internal/jest';
+import * as kms from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as sns from '@aws-cdk/aws-sns';
 import * as sqs from '@aws-cdk/aws-sqs';
-import { CfnParameter, Duration, Stack, Token } from '@aws-cdk/core';
+import { CfnParameter, Duration, RemovalPolicy, Stack, Token } from '@aws-cdk/core';
 import * as subs from '../lib';
 
 /* eslint-disable quote-props */
@@ -458,6 +459,156 @@ test('queue subscription (with raw delivery)', () => {
   });
 });
 
+test('encrypted queue subscription', () => {
+  const key = new kms.Key(stack, 'MyKey', {
+    removalPolicy: RemovalPolicy.DESTROY,
+  });
+
+  const queue = new sqs.Queue(stack, 'MyQueue', {
+    encryption: sqs.QueueEncryption.KMS,
+    encryptionMasterKey: key,
+  });
+
+  topic.addSubscription(new subs.SqsSubscription(queue));
+
+  expect(stack).toMatchTemplate({
+    'Resources': {
+      'MyTopic86869434': {
+        'Type': 'AWS::SNS::Topic',
+        'Properties': {
+          'DisplayName': 'displayName',
+          'TopicName': 'topicName',
+        },
+      },
+      'MyKey6AB29FA6': {
+        'Type': 'AWS::KMS::Key',
+        'Properties': {
+          'KeyPolicy': {
+            'Statement': [
+              {
+                'Action': [
+                  'kms:Create*',
+                  'kms:Describe*',
+                  'kms:Enable*',
+                  'kms:List*',
+                  'kms:Put*',
+                  'kms:Update*',
+                  'kms:Revoke*',
+                  'kms:Disable*',
+                  'kms:Get*',
+                  'kms:Delete*',
+                  'kms:ScheduleKeyDeletion',
+                  'kms:CancelKeyDeletion',
+                  'kms:GenerateDataKey',
+                  'kms:TagResource',
+                  'kms:UntagResource',
+                ],
+                'Effect': 'Allow',
+                'Principal': {
+                  'AWS': {
+                    'Fn::Join': [
+                      '',
+                      [
+                        'arn:',
+                        {
+                          'Ref': 'AWS::Partition',
+                        },
+                        ':iam::',
+                        {
+                          'Ref': 'AWS::AccountId',
+                        },
+                        ':root',
+                      ],
+                    ],
+                  },
+                },
+                'Resource': '*',
+              },
+              {
+                'Action': [
+                  'kms:Decrypt',
+                  'kms:GenerateDataKey',
+                ],
+                'Effect': 'Allow',
+                'Principal': {
+                  'Service': 'sns.amazonaws.com',
+                },
+                'Resource': '*',
+              },
+            ],
+            'Version': '2012-10-17',
+          },
+        },
+        'UpdateReplacePolicy': 'Delete',
+        'DeletionPolicy': 'Delete',
+      },
+      'MyQueueE6CA6235': {
+        'Type': 'AWS::SQS::Queue',
+        'Properties': {
+          'KmsMasterKeyId': {
+            'Fn::GetAtt': [
+              'MyKey6AB29FA6',
+              'Arn',
+            ],
+          },
+        },
+        'DeletionPolicy': 'Delete',
+        'UpdateReplacePolicy': 'Delete',
+      },
+      'MyQueuePolicy6BBEDDAC': {
+        'Type': 'AWS::SQS::QueuePolicy',
+        'Properties': {
+          'PolicyDocument': {
+            'Statement': [
+              {
+                'Action': 'sqs:SendMessage',
+                'Condition': {
+                  'ArnEquals': {
+                    'aws:SourceArn': {
+                      'Ref': 'MyTopic86869434',
+                    },
+                  },
+                },
+                'Effect': 'Allow',
+                'Principal': {
+                  'Service': 'sns.amazonaws.com',
+                },
+                'Resource': {
+                  'Fn::GetAtt': [
+                    'MyQueueE6CA6235',
+                    'Arn',
+                  ],
+                },
+              },
+            ],
+            'Version': '2012-10-17',
+          },
+          'Queues': [
+            {
+              'Ref': 'MyQueueE6CA6235',
+            },
+          ],
+        },
+      },
+      'MyQueueMyTopic9B00631B': {
+        'Type': 'AWS::SNS::Subscription',
+        'Properties': {
+          'Protocol': 'sqs',
+          'TopicArn': {
+            'Ref': 'MyTopic86869434',
+          },
+          'Endpoint': {
+            'Fn::GetAtt': [
+              'MyQueueE6CA6235',
+              'Arn',
+            ],
+          },
+        },
+      },
+    },
+  });
+});
+
 test('lambda subscription', () => {
   const fction = new lambda.Function(stack, 'MyFunc', {
     runtime: lambda.Runtime.NODEJS_10_X,