Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipes: support Customer Managed Key for EventBridge pipes #31453

Open
1 of 2 tasks
mazyu36 opened this issue Sep 16, 2024 · 2 comments
Open
1 of 2 tasks

pipes: support Customer Managed Key for EventBridge pipes #31453

mazyu36 opened this issue Sep 16, 2024 · 2 comments
Labels
@aws-cdk/aws-events Related to CloudWatch Events effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@mazyu36
Copy link
Contributor

mazyu36 commented Sep 16, 2024

Describe the feature

Amazon EventBridge Pipes now supports customer managed KMS keys.
But L2 Construct (alpha module) does not support it.

Ref: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-eventbridge-pipes-customer-managed-keys/

Use Case

When you want to use Customer Managed key to encrypt data.

Proposed Solution

Add kmsKey property to Pipe class.

Other Information

CloudFormation already support it, but L1 Construct does not yet.

I plan to implement L2 Construct after L1 Construct support it.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

all

Environment details (OS name and version, etc.)

all
@mazyu36 mazyu36 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 16, 2024
@github-actions github-actions bot added the @aws-cdk/aws-events Related to CloudWatch Events label Sep 16, 2024
@pahud
Copy link
Contributor

pahud commented Sep 16, 2024

Thank you @mazyu36 !

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Sep 16, 2024
@mazyu36
Copy link
Contributor Author

mazyu36 commented Oct 7, 2024

I'm struggling with the implementation approach.

To minimize privileges in the CMK key policy, I need to set the Pipe ARN.
However, since the pipe name is optional, the exact ARN won't be known until deployment if the name isn't specified.

Currently, the only solution I can think of is using a custom resource.
If anyone knows a better method, please let me know.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-key-policy.html#eb-encryption-key-policy-pipe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-events Related to CloudWatch Events effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @mazyu36