aws · mergify · May 9, 2025 · Apr 23, 2025 · Apr 23, 2025 · Apr 23, 2025
diff --git a/packages/@aws-cdk/aws-s3tables-alpha/README.md b/packages/@aws-cdk/aws-s3tables-alpha/README.md
@@ -41,6 +41,22 @@ const sampleTableBucket = new TableBucket(scope, 'ExampleTableBucket', {
 
 Learn more about table buckets maintenance operations and default behavior from the [S3 Tables User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-table-buckets-maintenance.html)
 
+### Server-side Encryption
+
+By default, S3 Tables buckets are encrypted using Amazon S3-managed keys (SSE-S3). You can also use AWS Key Management Service (AWS KMS) keys to encrypt your data.
+To do this, you can specify the `kmsKey` property when creating the bucket:
+
+```ts
+declare const kmsKey: kms.IKey;
+
+new TableBucket(this, 'TableBucket', {
+  tableBucketName: 'kms-key-s3tables-bucket',
+  kmsKey,
+});
+```
+
+**Note**: AWS CDK automatically add a resource policy to the KMS key to allow the S3 Tables service to use it for automatic table maintenance. Detail information can be found in the [security for S3 tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) documentation.
+
 ### Controlling Table Bucket Permissions
 
 ```ts

diff --git a/packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts b/packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts
@@ -5,7 +5,8 @@ import { TableBucketPolicy } from './table-bucket-policy';
 import * as perms from './permissions';
 import { validateTableBucketAttributes } from './util';
 import * as iam from 'aws-cdk-lib/aws-iam';
-import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token } from 'aws-cdk-lib/core';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token, Stack } from 'aws-cdk-lib/core';
 import { addConstructMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
 /**
@@ -258,6 +259,13 @@ export interface TableBucketProps {
    * @default RETAIN
    */
   readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * The KMS key to use for server-side encryption.
+   *
+   * @default - Server-side encryption with Amazon S3-managed keys (SSE-S3)
+   */
+  readonly kmsKey?: kms.IKey;
 }
 
 /**
@@ -498,8 +506,34 @@ export class TableBucket extends TableBucketBase {
         noncurrentDays: props.unreferencedFileRemoval?.noncurrentDays,
         unreferencedDays: props.unreferencedFileRemoval?.unreferencedDays,
       },
+      encryptionConfiguration: props?.kmsKey
+        ? {
+          sseAlgorithm: 'aws:kms',
+          kmsKeyArn: props.kmsKey.keyArn,
+        }
+        : undefined,
     });
 
+    // add resource policy to the encryption key
+    // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions
+    props?.kmsKey?.addToResourcePolicy(
+      new iam.PolicyStatement({
+        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
+        resources: ['*'],
+        effect: iam.Effect.ALLOW,
+        principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')],
+        conditions: {
+          StringLike: {
+            'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({
+              service: 's3tables',
+              resource: 'bucket',
+              resourceName: props.tableBucketName,
+            })}/*`,
+          },
+        },
+      }),
+    );
+
     this.tableBucketName = this.getResourceNameAttribute(this._resource.ref);
     this.tableBucketArn = this._resource.attrTableBucketArn;
     this._resource.applyRemovalPolicy(props.removalPolicy);

diff --git a/packages/@aws-cdk/aws-s3tables-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-s3tables-alpha/rosetta/default.ts-fixture
@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { Stack } from 'aws-cdk-lib';
 import { TableBucket, UnreferencedFileRemovalStatus } from '@aws-cdk/aws-s3tables-alpha';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as kms from 'aws-cdk-lib/aws-kms';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {

diff --git a/...ws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/cdk.out b/...ws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/cdk.out
diff --git a/...cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/integ.json b/...cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/integ.json
diff --git a/...est/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.assets.json b/...est/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.assets.json
diff --git a/...t/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.template.json b/...t/integration/integ.table-bucket-kms-key.js.snapshot/kms-key-s3tables-stack.template.json
@@ -0,0 +1,126 @@
+{
+ "Resources": {
+  "KmsKey46693ADD": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey"
+       ],
+       "Condition": {
+        "StringLike": {
+         "kms:EncryptionContext:aws:s3:arn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":s3tables:",
+            {
+             "Ref": "AWS::Region"
+            },
+            ":",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":bucket/kms-key-s3tables-bucket/*"
+           ]
+          ]
+         }
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "maintenance.s3tables.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "TableBucket0BF18B0D": {
+   "Type": "AWS::S3Tables::TableBucket",
+   "Properties": {
+    "EncryptionConfiguration": {
+     "KMSKeyArn": {
+      "Fn::GetAtt": [
+       "KmsKey46693ADD",
+       "Arn"
+      ]
+     },
+     "SSEAlgorithm": "aws:kms"
+    },
+    "TableBucketName": "kms-key-s3tables-bucket",
+    "UnreferencedFileRemoval": {}
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.assets.json b/...bucket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.assets.json
diff --git a/...cket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json b/...cket-kms-key.js.snapshot/kmskeys3tablesintegDefaultTestDeployAssertC8AB8C4E.template.json