Search code examples
amazon-s3aws-cdkamazon-kms

Can't create a S3 bucket with KMS_MANAGED key and bucketKeyEneabled via CDK

I have a S3 bucket with this configuration:

S3 Bucket default encryption settings

I'm trying to create a bucket with this same configuration via CDK:

Bucket.Builder.create(this, "test1")
  .bucketName("com.myorg.test1")
  .encryption(BucketEncryption.KMS_MANAGED)
  .bucketKeyEnabled(true)
  .build()

But I'm getting this error:

Error: bucketKeyEnabled is specified, so 'encryption' must be set to KMS (value: MANAGED)

This seems like a bug to me, but I'm relatively new to CDK so I'm not sure. Am I doing something wrong, or is this indeed a bug?

Solution

  • I encountered the issue recently, and I have found the answer. I want to share the findings here just in case anyone gets stuck.

    Yes, this was a bug in the AWS-CDK. The fix was merged this month: https://github.com/aws/aws-cdk/pull/22331

    According to the CDK doc (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#bucketkeyenabled), if bucketKeyEnabled is set to true, S3 will use its own time-limited key instead, which helps reduce the cost (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html); it's only relevant when Encryption is set to BucketEncryption.KMS or BucketEncryption.KMS_MANAGED.